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Abstract Title: Computer security arrangement for protection against malicious attacks 



A security arrangement for a computer uses a system of 
rules to detect unusual behaviour, notify the user of 
unusual behaviour and learn acceptable behaviour 
patterns. It also automatically segregates programs, 
monitors the amount of data sent out, blocks certain . 
activities, prevents malicious software from falsifying the 
user's input and segregates programs into their natural 
environments. A security arrangement with a device driver 
or OS in ring 0 is also described as is a security 
arrangement where some of the OS functions are replaced. 
The arrangement may be applied to a storage medium. 
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Abstract 



Malicious software attacks (such as for example stealing data, changmg data or 
destroying data) on personal computers and/or servers and/or other 
computerized gadgets (especially through the Internet) are becommg more and 
more common and more and more dangerous, causing damages of ^ens ot 
billions of dollars each year. The state-of the-art solutions are mherently limited 
because they solve only a limited number of problems on the surface, instead ot 
going deeply into the roots of the problem. The most common solutions are 
Anti-viruses and firewalls. Ami-viruses are limited because they can only detect 
known viruses or worms that have already been identified (usually after they 
have already attacked many computers). Network firewalls are typically based 
on packet filtering, which is limited in principle, since the rules of which 
packets to accept or not may contain for example subjective decisions based on 
trusting certain sites or certain applications. However, once security is breached 
for any reason, for example due to an en-or or intended deception, a hostile 
application may take over the computer or server or the entire network and 
create unlimited damages (directly or by opening the door to additional 
malicious applications). They are also not effective against secunty holes tor 
example in browsers or e-mail programs or in the operating system itself 
According to an article in ZDnet from Jan 24, 2001, security holes m critical 
applications are discovered so often that just keeping up with all the patches is 
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impractical. Also, without proper generic protection for example against Trojan 
horses, which can identify any malicious program without prior knowledge 
about it, even VPNs (Virtual Private Networks) and other form of data 
encryption, including digital signatures, are not really safe because the info can 
be stolen before or below the encryption. Even personal firewalls are typically 
limited, because once a program is allowed to access the Internet, there are no 
other limitations for example on what files it may access and send or what it 
might do. The present invention creates a general generic comprehensive 
solution by going deeply into the roots of the problem. One of the biggest 
absurdities of the state-of-the-art situation is that by default programs are 
allowed to do whatever they like to other programs or to their data files or to 
critical files of the operating system, which is as absurd as letting a guest in a 
hotel bother any other guests as he pleases, steal their property or copy it or 
destroy it, destroy their rooms, etc., or for example have free access to the 
hotel's safe or electronic switchboard or phone or elevator control room. The 
present concept is based on automatic segregation between programs: It is like 
limiting each guest by default to his room and limiting by default his access to 
the Hotel's strategic resources, so that only by explicit permission each guest 
can get additional privileges. 
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Backarounri of ihc invention 
Field of the invention: 

The present invention relates to security in computers ('"^'"^^^J SJ^! 
computers, servers, or other computerised gadgets, as ^^^'^'""'^J^'^'^^^^Zl 
and more specifically to a powerful comprehensive generic Secunty System and 
method for computers, based on automatic segregation between programs. 

Backuround 

Malicious software attacks on personal computers and/or ^^-^^^Jf^^^^^^^^ 
through the Internet) are becoming more and more common and ""^^ -^"f 
dancerous According to recent study by the American CSl research instUutc (The 
Sput e sLrity institute), during the last year alone approximately 0^^-n o 
the largest American companies were attacked by at least one malicious Internet 
sottwarc. with an average damage of abt)ut 500.000 USD per attack. 

As the attacks for example by the ^ \ LOVE YOU ' virus and its derivatives 
demonstrate, which affected almost instantly tens of millions ol ^<>"'P'^'''' 
estimated damages of more than 10 billion dollars - the conventional anti-virus 
p^gr^ms and their methods are inadequate to handle 

dependent on past familiar code patterns of known malicious software instead «l 
t^^nrto prevent in advance all kinds of attacks in principle. Such attacks are en^b ed 
tecause of an almost infinite number of loopholes and yulnerabiliturs .n operating 
systems, by the fact that far too many processes occur ""'J^''^^;!? ^"^^'^^'^^^^^^^^^ 
user s knowledge, and by badly-engineered applications. Ihese loopholes and 
vulnerabilities include for example: 

1 The possibility of attempting to connect from the outside to the user's 
computer while the user is surfing on the net, without any wammg to the user 
that such attempt is being made. 

■y The readiness of certain applications to execute Macro commands or scripts or 
applets or other executable attachments from incoming e-mail messages or 
web pages without any warning and without asking for the user s 
authorization, and without checking what these exccutables or scripts try to do 
(if allowed to run). 

3. The ability of applications to open a network connection to the outside without 
any warning or request of authorization from the user. 

4 The ability of applications to perform extremely dangerous operations such as 
■ for example deleting or sabotaging multiple files or making changes to 

sensitive system areas or formatting emire drives without warning the user and 
requesting authorization from the user. 

5 Lack of checks against string overflow or bufTer overflow in some 
communicauon applications so that they can be crashed for example by large 
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strings that contain malicious code that overwrite part of the original 
program's code and starts running instead of the original code. 

Unless these vulnerabilities and loopholes are treated on the most thorough and 
basic level, and since the internet keeps growing at an exponential rate and more and 
more businesses are becoming dependent on it - such attacks may increase in the near 
future to the point of almost unlimited damages to a very large percent of the 
computers that arc connected to the Internet. 

Other methods such as for example packet filtering are also limited in principle, 
since the rules of which packets to accept or not may contain for example subjective 
decisions based on trusting certain sites or certain applications. However, once 
security is breached for any reason, for example due to an error or intended deception, 
a hostile application may take over the computer or server or the entire network and 
create unlimited damages (directly or by opening the door to additional malicious 
applications), which until detected might be already too late to repair. For example, a 
self-resendable via e-mail macro-virus (such as for example "1 LOVE YOU'' and its 
derivatives and similar viruses) can arrive from your best and most trusted friends 
after their own computer has been compromised. Also, filtering for allowed types of 
protocols such as for example F I P versus SMTP and so on can be rendered useless by 
programs that encrypt or disguise a given protocol type to appear as another. Another 
major limitation of packet filtering is that it can't be relied upon to scan for stolen data 
in packets, since malicious applications can encrypt the data and/or disguise it to look 
like something else, so as to appear for example as a gif image. 

Antiviruses and firewalls are also not effective against security holes for example in 
browsers or e-mail programs or in the operating system itself. According to an article 
in ZDnet from Jan 24, 2001, security holes in critical applications are discovered so 
often that just keeping up with all the patches is impractical. Also, without proper 
generic protection for example against Trojan horses, which can identify any 
malicious program without prior knowledge about it, even VPNs (Virtual Private 
Networks) and other form of data encryption, including digital signatures, are not 
really safe because the info can be stolen before or below the encryption. 

Hvcn attempts to monitor in some ways a certain group of specifically marked 
executables or applications arc limited by nature, because the security breaches can 
come from many other directions. For example, A Trojan horse may already be 
lurking in the system for a long time and then suddenly create tremendous damage 
before being detected, or enter the system any time new applications are installed 
from any source. 

On the other hand, attempts for example to disallow completely any script within e- 
mail attachments to execute creates too many restrictions and doesn't separate 
between safe scripts that the user may want to run and scripts that actually try to 
perform malicious acts. 



Summary of the invention 
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The present invention is a novel concept which tries to go deeply into the roots of 
the causes of above described problems and thus to eliminate completely the above- 
described problems by creating what is to the best of our knowledge a very powerful, 
comprehensive, general and generic Security System for computers. This System and 
method is adapted to protect computers (which may include for example personal 
computers, servers, and other devices or gadgets with one or more processor that can 
run programs, as explained below in the definitions) against all kinds of malicious 
programs that may steal information and/or cause damages including for example 
changes of data, deletion of data, interfering with function, and so on (such as lor 
example Viruses, Vandals, Trojan horses. Worms, Macro viruses and Malicious e- 
mails). The system and method can be used in many operating systems, such as for 
example various platforms of Microsoft Windows, Linux, Macmtosh, or other 
operating systems, evcnthough the preferred embodiments use mainly the terminology 
of Windows, which is the most common and familiar operating system. 

The most important principles and objects of this protection system preferably 
include: 

1 . Preferably giving the user more information about processes that would 
normally occur without his knowledge, thus decreasing substantially the 
chance that malicious software will be able to mislead or deceive the user. ^ 

2. Defining preferably comprehensive yet parsimonic sets of rules of 
appropriate behavior of software so that the system can identify and 
intercept immediately programs that may be performing or trying to 
perform suspicious and/or detrimental and/or potentially dangerous 
activities or not behaving as usual. 

3. Monitoring and intercepting and possibly logging all unauthorized and/or 
suspect activities in the computer and/or asking for authorization or 
guidance when required. 

4. The above-described principles preferably allow multiple safeguards 
against security threats, so that malicious applications will usually have to 
break multiple security rules in order to do such things as stealing data, 
damaging data or propagating themselves, and thus the chance for catching 
them is much larger. 

5. Even if the user allows a certain application to launch another application, 
the newly launched application or applications are preferably again 
subjected in tum to all the same monitoring and rules as any other 
application and/or for example to the limitations that apply to the 
launching application, so that the scanning for breach of security rules 
continues to apply at all stages. 

6. Since the possibility of encryption by malicious programs which try to 
steal and send data over communication channels makes it impossible to 
make sure by monitoring the information flow itself that data is not being 
stolen - therefore the system preferably relies mainly on allowing the user 
maximum control over which applications can access which data, which 
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applications arc authorized to access which communication channels, and 
preferably also how much data is actually being sent. 

The above protection system is preferably comprised of the following main elements: 

I ; A monitoring and capturing system, which preferably constantly monitors 
the sccurity-sensilivc elements of ihc computer system, and most 
importantly all the relevant peripheral device activities, and preferably 
especially those related to storage devices (and especially the Hard disk or 
hard disks) and communication devices (network cards, modem, etc.) and 
can detect and intercept immediately suspicious or dangerous behavior. 

2. The security rules and a database (or databases) for storing the default 
rules, which preferably contain at least one of: a set of pre-distribution 
preferably acquired rules that are good for most users of the selected 
operating system, acquired additional user-defmcd rules, and statistics of 
normal or reasonable behavior of programs, which is continuously learned 
during the operation of the system. This database area, preferably contains 
also all the authorizations and optionally (in some embodiments) also for 
example a log of all the questions that the Security System asked the user 
and his replies (kept at least for a certain period), and when needed, also a 
log of suspicious activities detected (kept at least for a certain period) and 
may contain also definable additional logs. The database is preferably 
encrypted and is considered a constantly monitored high-security protected 
and preferably backed-up area as deflned below in the detailed description 

3. A user interface, which interacts with the user preferably in order to at 
least one of: learn acceptable behavior pattems, warn the user of perceived 
dangers when needed, and ask for the user's authorization when needed. 
Preferably it also allows the user to view statistics of behavior of important 
programs and/or groups of programs and especially programs that are 
allowed to access communication channels, especially in what is related to 
sending and receiving data over the communication lines, such as for 
example since the beginning of the current Internet session or for a certain 
time period. Preferably, this may also include information such as for 
example what protocols were used, etc. Preferably the user may also view 
or modify directly the database of authorizations or at least parts of it. 

The main functions performed by Security System: 

The main logic behind the rules that define appropriate versus suspect behavior is 
preventing as much as possible all the elements and activities that are required by 
malicious programs in order to be able steal any data or do any damage or propagate 
themselves. The Security System preferably uses a set of heuristics and basic rules for 
defining suspicious or potentially dangerous activities that are automatically suitable 
for most users. By using the general default rules and adding to them for example 
statistical analysis of normal system and applications behavior and what is learned 
from the . user's responses to authorization requests, the Security System quickly 
learns what is considered reasonable or well-behaved behavior of programs on the 
user's personal computer or server. Preferably, some of the learning is performed in 
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/ advance for each operating system and is included in the distribution database ^ th^ 
^ the system that is installed by the user has already learned vanous rules hat are 
relevant by default to most users of that operating system The SfC""»y 
functions performed by the Security System preferably include at least some of the 
following: 

a Constantly monitoring the security-sensitive elements of the 
computer system, preferably including all relevant penpheral 
device activities, and especially storage devices and 
communication devices, and preferably detecting and selectively 
intercepting any suspicious or dangerous behavior and acting upon 
it in accoixlance with the default and acquired sets of security rules. 

b Default segregation of programs into their natural environments, as 
defined below in the detailed description. This feature is very 

important. ... r 

c Preferably waming the user and request for authorization for 

security-sensitive activities and especially any first-time attempts 

to access communication channels, 
d Preferably constant and stricter monitoring and protection of areas 

defined in the various rule sets as higher security areas on the 

storage media, as defined below in the detailed description, 
e. Interception and more explicit waming of the user about potentially 

highly dangerous activities. , . 

f Preferably waming the user about significant statistical deviations 

from normal behaviors of applications and/or of the operating 

system and especially as relates to suddenly sending out large 

amounts of data. 

g. Allowing the User to request automatic immediate interception 
and/or waming the user of any attempts of external programs from 
the network to connect to the user's computer through the 
communication channels. 

h Preferably allowing the User to request enforcing of general 
limitations on the communication ports allowed to be opened and 
optionally also limitations on types of protiKols allowed. 

i Preferably monitoring and intercepting as much as possible all 
attempts of applications to gain direct port accesses to security 
sensitive devices and especially the storage media and the 
communication channels. 

Therefore, the present invention offers the following main advantages over the prior 

^' I It is adapted to generic detection and interception of all kinds and vari^ations of 
viruses. Trojan horses, worms. E-mail macro viruses and other vandals even 
when these arc completely new and not similar to other vandals encountered 
before. Therefore, it can also detect and intercept first strike attacks, instead ol 
waiting for a cure after the damage has already been done to tens of millions 

of computers. .... i l 

2. It is not dependent on constant updates of virus knowledge basses, unlike 

normal anti virus systems. 
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3. It is nol dependent on inherently limited methods, such as for example packet 
nilering. 

4. It preferably oflers multiple safeguards against various threats, so that a 
malicious program will typically have to break multiple security rules (for 
example, try to exceed its natural environments, try to access any of the 
communication devices v^ithout permission, try modify important system files, 
try to delete directories, try to modify other executables, etc.), and thus have a 
much higher chance for being caught. Also, preferably it gives the user more 
knowledge of what is happening in his system and therefore reduces 
significantly the chance of the user being mislead or deceived by malicious 
applications. 

5. It is more comprehensive than other solutions and may even at least is some 
embodiments catch and intercept backdoors that might exist in the operating 
system itself. Also, it is not dependent on marking a limited group of 
applications for being monitored, so that all applications are checked, no 
matter how they arc introduced to the system, including if they were there 
even before the Security System was installed. 

6. It is parsimonic in nature, so that it preferably doesn't need specific 
knowledge about the exact nature of specific programs such as for example 
various browsers or e-mail programs, and therefore also no updates are needed 
when the user downloads for example new versions or kinds of internet 
applications. However, preferably the security system may incorporate updates 
and/or other globally-acquired knowledge in order to improve itself. 

7. Malicious behaviors of programs can be detected and/or intercepted even if 
they, don't display viral or worm-like behavior at all, for example if a screen 
saver starts to steal data and send it out over communication lines even if it 
does not show any attempts to spread itself or to modify system areas. 

8. Even systems protected by tight encryption policies, such as for example 
online banks, are not really safe without the Security System of the present 
invention, because malicious software, such as for example the Subseven 
Trojan, can render the encryption useless by sending outside information on 
everything that is going on in the system at various levels. 

9. As one of the consequences of the automatic segregation between programs, if 
a virus or other malicious program manages to infiltrate the system, it is by 
default limited to its own Virtual Environment (VF), as defined below in the 
detailed description, where it cannot cause any damage to the system or to 
other programs. 

Clarification and Definitions 

Throughout the patent when variations or various solutions are mentioned, it is 
also possible to use various combinations of these variations or of elements in 
them, and when combinations are used, it is also possible to use at least some 
elements in them separately or in other combinations. These variations are 
preferably in different embodiments. In other words: certain features of the 
invention, which are described in the context of separate embodiments, may also 
be provided in combination in a single embodiment. Conversely, various features 
of the invention, which are described in the context of a single embodiment, may 
also be provided separately or in any suitable sub-combination. 
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Many times for simplicity of understanding we use terms that arc most commonly 
used within Microsoft Windows environment (which is the most common operating 
system for personal computers), so it should be kept in mind that in other oP^ratrng 
systems such as for example Linux or Macintosh some of these might have ditlerent 
names, somewhat different implementations, etc.. although the principles arc similar. 

As used throughout the present specifications and claims, the following words have 
the indicated meanings: 

"Program", "executable" or "application" is any file or area in memory that contains 
executable commands, such as for example .exe or .com files, batch files, vanous 
Macro files, etc. 

"Macro" is an executable written usually in a scripting language and executed by a 
complex application, such as for example Microsoft's Outlook or Word. 

"DLI" is a dynamic link library. This term is common for example in all versions of 
the Windows operating system. In other operating systems it might have different 
names but the principle is similar. In general it is a term for a set of routines that can 
be called from executables. loaded and linked into them during run time. 

"Device driver" or "Driver" is a softv«ue component that allows an operating system 
to communicate with one or more specific hardware devices attached to a computer, 
such as for example a hard disk controller, network card or display card. However, 
this can include also any software component running in the privileged mode - in the 
Kernel. 

"OS" or "operating system" is software responsible for controlling the allocation and 
usage of computer hardware resources such as for example memory, CPU time, disk 
space, and peripheral hardware devices. 

"IRQ" or -Interrupt request line" is a hardware line over which a hardware device, 
such as for example an input/output port, keyboard, or disk drive, can send interrupt 
requests to the central processing unit (CPU). Interrupt request lines are built into the 
computer's internal hardware and are assigned different levels of priority so that the 
CPU can determine the sources and relative importance of incoming service reqiiests. 
IRQ is an Intel concept to rank 1 lardware and Software requests according to their 
importance. 

"User" or "users" as used throughout the text arc always meant interchangeably to be 
either user or users. The user or users can be for example the individual user of a 
computer or computers or a corpt>ration or organization that uses the computer. 
Therefore, preferably various types of authorizations for example can be given either by 
the individual user of the computer or for example by the security administrator ol the 
company, or any combination of these. For example some companies might want to give 
full authority on critical issues only to the system administrator, while others might want 
to let the employees or certain employees have much more direct control. 

"User authorization" as used throughout the text can include also of course additional 
guidance and optioiis. 
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-Database^' or "Databases" as used Ihroughoul the text arc always meant 
interchangeably to be cither database or databases. 

^•Network'' as used throughout the text is always interchangeable as either network or 
networks and represents a connection from a computer (as defined below) by any way 
to one or more computers or any other compatible communication device. 

"File" is one or more areas on one or more disks and may have a definition in the 
FAT that may be represented as a name, directory, etc. and may have other 
parameters. 

"Registry" is one or more files that may contain operating system and other program 
settings and mainly managed by the operating system. 

"Computer" can refer to a personal computer or workstation or server, or any 
automated device or gadget with one or more processor or CPU, capable of more than 
simple arithmetic functions. This can include for example also cellular phones and 
portable computing devices such as for example a palm pilot. This can include also, 
for example, computers in cars, which may for example become very important as 
cars become more automated or even capable of automatic driving, since if hackers 
are able to damage them for example by internet or satellite connection, it might even 
cause life-threatening malfunctions. Other examples can be computers in satellites (In 
which case, user authorization, when needed, preferably should be requested remotely 
by encrypted communication with user remote verification), sensitive computer 
systems in airplanes, etc. So, eventhough we give the examples usually from a PC and 
Windows perspective, similar principles can be applied also to palm devices, cellular 
phones, and other types of computerized devices. Also, ^^computer" or "computers" as 
used throughout the text are always meant interchangeably to be either computer or 
computers. Therefore, whenever the word "computer" or ^^computers" is used 
throughout the text of this patent, including the claims, it can mean any of the above 
defined devices. 

'^Server" is a computer on a network that is running software that provides data and 
services to clients over the network. The term server can also apply to a software 
process that similarly sends information to clients and that appears on the same 
computer as a client process, or even within the same application. 

"Kemer' is the portion of the operating system that manages and controls access to 
hardware resources. It performs for example: thread scheduling and dispatching, 
interrupt and exception handling, and multiprocessor synchronization. 

"DMA" is Direct Memory Access. 

"Image Loading" as used throughout the text refers to an executable code that is being 
loaded for execution or unloaded/terminated. 

'^Hooked function" as used throughout the text refers to an executable filtering code 
placed between the calling code and called function and thus has the ability for 
example to monitor and/or intercept and/or redefine the function that is being hooked. 
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-API" stands for Application Programming Interface. 



Brief descritttion of the drawings 

Fig 1 shows the preferable main elements of the Security System within a typical 
structure of an operating system in a computer, with some of the hooked peripheral 
device drivers, especially those related to storage devices and network devices, and 
preferable places and ways that the various parts of the Security System are coupled 
to and interact with the above typical structure. 

l ig. lb shows in more detail a preferable way of interaction between Security System 
parts with an emphasis on the user interface and a prefcn^ed process of pemiission 
granting. 

Fig 2 shows in more detail a flow diagram of a preferable way the monitoring and 
capturing system interacts, monitors, checks and authorizes file hooked functions of 
the computer's operating system that may be preformed by an application. 

Fig 3 shows in more detail a flow diagram of a preferable way the monitoring and 
capturing system interacts, monitors, checks and authorizes network hooked functions 
of the computer's operating system that may be preformed by an application. 

Fig 4 shows in more detail a flow diagram of a preferable way the monitoring and 
capturing system interacts, monitors, checks and authorizes registry hooked functions 
of the computer's operating system that may be preformed by an application. 

Fig. 5 shows what preferably happens when executable flics are being loaded for 
execution. 

Fig. 6 shows in more detail a flow diagram of a preferable way the monitoring and 
capturing system interacts, monitors, checks and authorizes memory related functions 
of the computer' s operating system that may be preformed by an application. 

Fig. 7 shows in more detail a flow diagram of preferable main parts and methods of 
the Security System database, pemiission and analysis processes. 

Fig 8 shows in more deuil preferable interfaces and operation of a possible variation 
of using additional hardware, which monitors hardware accesses on the computer s 
data bus and has a 2-way interface with the Security System s software. 

Fig. 9 shows in mor« detail an overview of a preferable self-preservation method. 

Fig. 10 shows in more detail a flow diagram of a preferable method of interception 
process. 

I-ig 11 is a graphic illustration of a preferable way in which processes may be 
segregated and controlled. 
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Fig 12 is a visual illustralion of a more extreme implementation of keeping each 
program in a •Bubble' of virtual environment. 

Fig 1 3 is a visual illustration of a preferable conllguralion of connecting computers in 
an organization to Internet for example through the system administrator's computer. 

Detailed dcsrHntion of the nreferred embodiments 

All of the descriptions in this and other sections are intended to be illustrative 
and not limiting. 

Referring to Fig. I, we show the preferred main elements of the Security System 
(100) within a typical structure of an operating system (101) in a computer (which can 
be for example a server, a personal computer, or other computerized gadgets or 
devices as explained in the deHnitions), with some of the hot)kcd peripheral device 
drivers, especially those related to storage devices (110) and communication devices 
(111) and preferable places and ways that the various parts of the Security System 
(100) are coupled to and interact with the above typical structure. The entire system 
and method can be regarded also as a virtual machine that performs the described 
functions. 

The Security System is preferably comprised of the following main elements: 

a A monitoring and capturing system (102), which constantly monitors the 
security-sensitive elements of the computer system, and preferably especially 
all the relevant peripheral device activities and preferably especially storage 
devices (1 10)(cspecially the Hard disk or hard disks) and communication 
devices (111) (network card.s, modem, etc.) and can detect and intercept any 
suspicious and/or detrimental and/or potentially dangerous behaviors. This 
clement of the Security System preferably installs at least some parts of itself 
as much as possible in the kernel of the operating system (104). and other 
parts preferably replace various OS files, such as for example certain drivers, 
device drivers, DLLs, etc. in order to hook various vital functions. The 
monitoring and intercepting system is defined in more detail in subsequent 
figures. 

b Security rules (740) and a database or databases (700) for storing preferably at 
least one of: default rules (74X-C). a set of pre-distribution preferably 
acquired rules (74X-B) that are good for most users of the selected operating 
system, the acquired additional user-defined rules (74X-A), and preferably 
also the statistics (75 1 ) of normal or reasonable behavior of programs, which 
is continuously learned during the operation of the system. Preferably this 
database (700) contains in addition to all the authorizations, also an optional 
log (770) of all the questions that the Security System a.sked the user and his 
replies (kept preferably at least for a certain period), and/or, when needed, 
preferably also a log (770) of suspicious activities detected (kept preferably at 
least for a certain period) and may contain also for example definable 
additional logs. The database (700) is preferably encrypted and is considered a 
constantly monitored high-security pK)tectcd and preferably backcd-up area as 
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defined below. Therefore, all accesses lo the database are supervised by the 
monitoring and capturing system as explained in more detail in fig. 7. 

c. A user interface (103). which interacts with the user preferably in order to at 
least one of: learn acceptable behavior patterns, warn the user of all perceived 
dangers and/or ask for user's authorization or guidance when required. 
Preferably it also allows the user to view for example statistics and/or behavior 
logs of any program or groups of programs in the computer that the user 
defines or programs that are considered strategically important such as for 
example programs that arc allowed to access communication channels. For 
example one of the activities that is preferably being statistically checked and 
analyzed is the amount and the data that is being send or received, and 
preferably for example also the protocol that is being used, and/or other data. 
Preferably the user may also view or modify directly the database of 
authorizations, or at least parts of it. Preferably, the user may also choose the 
security software's tightness at a certain range of severity. 

rhe Security System may also include (as another possible variation) an optional 
hardware clement (800) shown in more detail in Fig. 8, which can alert the Security 
System's software to any events where access has been made to the security-sensitive 
ports (803) and/or memory (801) without an apparent corresponding event on the 
system level as monitored by said Security System's software. Another possible 
variation is to put a similar element for example, instead or in addition, in the modem 
or communication card itself, and/or for example in the motherboard or in the CPU 
itself, and/or for example on the hard disk interface. 

Further referring to Fig. 1, preferably the main rules and functions performed by the 
Security System include at least most of the following: 

I. Preferably programs are automatically segregated into their natural 

environments, so that by default, preferably each program (software 
application) is allowed to access (for example read, write, execute, 
create, delete, etc.) files only within its natural environment (which 
is mainly the directory in which it is installed, its sub-directories, 
and, preferably for reading only, non-strategic shared files). This 
way, even applications that are run within other applications, such as 
for example Java or Active-X within browsers, still have to conform 
to the security rules together with the browser itself (Another 
possible variation is thai the user may also ask in advance to protect 
and monitor only certain directories (or groups of directories), but 
by default all directories are monitored). If the program is 
attempting to be installed in the root of any drive, preferably the user 
interface part (103) of the Security System warns the user about it, 
and if he allows it, then the natural environment of such programs is 
limited only to the root of that drive and does not include its sub- 
directories, otherwise the segregation to branches would be 
meaningless in this cases. (In the more extreme embodiments 
explained in the reference to Fig. 1 1 , another possible variation is 
that the program is given the illusion that it installed itself on the 
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root of a drive, but in faci ii is in a limited Virtual Environment, and 
thus in a lower directory). Similarly, the Security System preferably 
constantly monitors, intercepts, and warns the user of any attempts 
by programs to access the storage devices (110) through direct I/O, 
since that could render meaningless the segregation rules, (This can 
be accomplished for example by putting the Security System in ring 
0 - Using Intel architecture terms). This can be viewed either as a 
segregation of programs or of processes, however it is more 
preferable to implement it according to program files, since for 
example two or more copies in memory of Netscape will still 
typically have the same privileges and definitions. On the other 
hand, if different threads are run by some programs, for example 
Java or .lavascript by Netscape or for example active-X by MSIE, 
another possible variation is that they can be treated separately as 
processes, or they can be identified separately anyway for example 
by the file from which the DLL originates, etc. But even if for 
example the activc-x or Java are run by functions within the browser 
which arc indistinguishable from other internal parts of the browser, 
according to the above defmitions the scope of damiage they can do 
is automatically limited by the limited access the browser itself has 
outside its normal environment, as explained above. Another way to 
explain it, which also shows the problematic nature of the prior-of- 
the-art situation, is to compare the computer to a hotel. Allowing a 
program to do whatever it likes to other programs or to their data 
files or to critical files of the operating system is as absurd as letting 
a guest in a hotel bother any other guests as he pleases, enter their 
rooms, steal their property or copy it or destroy it, destroy their 
rooms, etc., or for example have free access to the hotel's safe or 
electronic switchboard or elevator control room, or phone. The 
present concept is like limiting each guest by default to his room and 
limiting by default his access to the Hotel's strategic resources, so 
that only by explicit permission each guest can get additional 
privileges. In order to make the segregation more effective, 
preferably the user is encouraged to place each newly installed 
software in a separate directory. However, since many users 
download new files into some common download directory for 
convenience reasons, there is a possibility that a malicious software 
will attack (for example delete or corrupt) other files in this 
download directory when the user tries to install it, or for example 
read other downloaded files in that directory to find what their 
default installation directory is and for example also which software 
is used to open them, and then for example pretend to be related to 
other programs in the download directory and thus get itself installed 
in the directories where they were installed. In order to prevent this 
preferably the security system can use for example context sensitive 
infomiaiion, such as for example the time each newly downloaded 
software was added, so that unreasonable or suspicious behavior can 
be easily detected if a downloaded program for example starts 
looking at files that were downloaded at different times, even though 
they are in the same directory, or starts for example going over the 
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entire directory and/or tries for example to modify other cxccutablcs 
in that directory. As explained, of course various combinations of 
the above and other variations can also be used. 

By default, prelerably no program is allowed without permission to 
access and especially to modify or replace sensitive areas or files (as 
defined below) or device drivers in the storage media (and 
preferably, to the extent possible, also in the computer's RAM 
(1 12)). which are regarded by the Security System as High security 
areas, such as for example critical operating-system files, registries, 
INI files, important DLL (Dynamic Link Libraries) files, 
communication-related files (such as for example Winsock. etc.). the 
boot sector, the FAT. autoexec or configuration files, the 
initialization areas of the operating system, the Windows Startup 
directory, the BIOS, user defined high security files or directories, 
system files that contain lists of URLs from which drivers can be 
automatically downloaded without asking the user, all the 
executable and data files and databases related lo the Security 
System itself, or anything else that may prevent the Security System 
from continuing functioning properly or initializing properly after 
the next boot. Similariy. the Security System preferably constantly 
monitors attempts by various programs to access for example the 
area of the hard disk used by the operating system for the swap files 
and/or other cached areas on the disk, since that could also allow 
various security breaches, such as for example replacing critical 
DLLs with malicious DLLs while they arc cached on the disk during 
virtual memory swapping. In addition to this, the system may 
preferably to the extent possible also protect (600) some RAM (112) 
areas if they are not adequately protected by the computer's 
operating system (101). For example, there might be a vulnerability 
that enables applications to access a shared memory area called 
"System internal object name space" and change the names of 
DLLs, thus replacing them with references to malicious DLLs. In 
addition to this, the Security System preferably makes sure (600) 
that it will not be thrown out of the RAM by other applications that 
might try to neutralize it. for example by checking all the time that it 
is not thrown out of the'DDB (Device Descriptor Block) by other 
applications and putting itself all the time in the first place there, 
and/or for example by the methods described in Fig. 9 about self- 
preservation. Preferably, unless it is sufficiemly done, by the 
operating system itself, to the extent possible, the Security system 
also prevents programs from accessing also in memory the code or 
data of other programs or their drivers or DLLs. etc. (for example 
unless given explicit permission to do so). This can be done for 
example by a method that when each application is running, all the 
pages of other applications are marked as missing, so if the 
application tries to access their data or code in memory it causes a 
CPU exception and then the Security System handles it and 
disallows the access unless the missing page is really a page that 
belongs to that application. Since in Windows there are for example 
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a number of API (Application Programming Inlerface) funclions that 
allow programs to behave like debuggers, thus enabling them to 
access and/or alter the memory of other programs that are currently 
running, preferably the Security System asks the user to explicitly 
authorize programs that he wants to allow such privileges. Another 
possible variation is that if programs that have not been given 
special access rights try to access such APIs, they are automatically 
prevented from that, or even cannot see such APIs. Also, preferably 
APIs that allow file-handle copying between processes are 
automatically disabled, or they arc allowed to be used only between 
programs that are running with the same Virtual Environment. 

In addition to this, as much as possible, preferably most of the high 
security areas described above in clause 2 are monitored regularly 
for signs of suspicious changes preferably by means of a hidden 
fingerprint for each such file which will cease filling the file if an 
unauthorized change has occurred, and preferably there are also 
additional hidden encrypted and regularly refreshed backups of 
important areas that can be used to restore them in case of damages 
to them. 

Preferably any program that tries to access (such as for example 
send, receive, listen, connect etc.) communication channels (111), 
including IP address, port and protocol (for example win-sockets 
and network shared device drivers (300)) needs to get permission 
from the user (unless il has already been given this privilege). Based 
on this monitoring, the user is preferably warned and is asked for 
authorization when needed, inbound or outbound, including any 
attempts from programs or hackers from the network (120) to 
connect to the user's computer, and the Security System may also 
trace-route such attempts on the net (120) in order to find the source 
of the attack Preferably on personal computes attempts to 
communicate from the outside are automatically blocked and logged 
without bothering the user. Preferably, when the Security System 
checks or asks for permissions, such as when it asks the user for 
example if to allow a certain application to access communication 
channels, it shows additional relevant data apart from the 
application's name, such as, for example, the full path of where the 
executable is installed, its size, its date, and/or details such as for 
example CRC, memory segments, or other identifiers, in order to 
reduce the chance that some hostile application might for example 
install itself under some directory and name itselfnetscape.exe and 
thus be given inadvertently by the user access to the web. This 
means also that for example if an application changes after being 
given certain permis.sions, the user will be asked again about it and 
preferably warned explicitly about the change. Similarly, preferably, 
if another application with the same or similar name is already listed 
in the Security System s Database, the security system preferably 
warns the user about this, in order to further avoid confusion. If the 
u,ser is for example an organization and the organization wants for 
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example lo allow the system administrator lo control which 
applications have access to the web. then for example each time an 
employee working with a certain computer allows a certain 
application lo access the web, then preferably this can be permitted 
only if it fits the definitions allowed by the administrator, preferably 
using various idenlincation marks to make sure that it is indeed an 
allowed application and not some other executable with the same 
name. This can be accomplished in a number of possible ways: For 
example the administrator can define allowed applications with their 
identification marks and broadcast this once in a while to all the 
computers in the organizations, and the Security system will allow 
access to communication channels only to applications that comply 
with these definitions (preferably these definitions are password- 
protected and also reside in an area regarded as a high-security area). 
Another possible variation is that various requests for authorizations 
(prcferably including various identification marks of the 
applications) are broadcast by the security system directly to the 
administrator without even asking the employee and preferably 
remain blocked until authorization can be given by him. Another 
possible variation is for example that new authorizations given lo 
applications by the employee (or at least authorizations on important 
issues) are broadcast by the security system also to the 
administrator, and allowed only if he OKs them. Another possible 
variation is for example that, at least for certain authorizations, the 
user has to call the administrator, and only he can authorize ihem for 
example with a password. Another possible variation is for example 
that applications that are allowed to access the web and/or other 
communication channels reside only in one (or more) computers in 
the network and the other computers can access them for example 
only by limited access through local-area network. Various 
combinations of these and other solutions are also possible. Also, 
preferably the Security System allows the user to define general 
limitations on the communication channels (111) allowed to be 
opened and and/or for example also limitations on types of protocols 
allowed, which is especially useful in ca.ses where the computer is 
being used as a server, since in such cases the computer will run 
most of the time unattended by the user, or for example if the user 
wants to block automatically all incoming communication attempts 
and just log them. Additionally, due to the nature of E-mail Macro- 
viruses, as added security measures, the system preferably 
constantly monitors the communication channels for outgoing E- 
mail messages and asks the user for confirmation any time that one 
or more e-mail messages are being sent oul by any program (even 
authorized programs) or at least and especially when multiple E- 
mails are being sent out consecutively. Preferably, the Security 
System also learns by this process various characteristics of the way 
the user is normally sending e-mail messages, so that whenever 
sudden unusual characteristics are apparent, preferably a special 
interception and warning can be issued. Kor example when sending 
e-mail normally through a program like outlook express, the relevant 
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MAPI functions may be called differcnlly and/or other processes 
may happen differently than for example when sending e-mail Irom 
a Visual Basic Script executed by outlook express. In addition to 
this, since programs thai arc allowed to access the communication 
lines (and especially browsers and e-mail programs) are usually a 
crucial link in Internet related attacks, preferably such programs are 
always monitored more thoroughly by the Security System, and 
therefore regarding such programs preferably the user may not tell 
the Security System to stop asking about various behaviors. 
Examples of said communication channels in terms of hardware can 
be the modem, Ethernet card(s), or even the USB (Universal Serial 
Bus), which can also be used for example for ADSL connection, or 
any other device that exists or might exist in the future which might 
be used for communicating data in and out of the computer. This 
comprehensive covering of all possible communication channels is 
extremely important, since otherwise the whole security system 
might be rendered useless. Examples of said communication 
channels in terms of software can be any of the system functions that 
can access any of the said hardware devices that can be used for 
communication, including for example 1 API functions, which can 
use the modem for sending Faxes, since, otherwise, a malicious 
application might for example turn off the internal loudspeaker of 
the modem and dial out and send out stolen data as a Fax. This 
applies also for example to any access to wireless channels, such as 
for example Bluetooth or infra-red, since this also can be used for 
sending data to the computer or stealing data from it. As explained, 
of course various combinations of the above and other variations can 
also be used. 

Preferably, the monitoring & capturing system (102) conducts 
constant statistical analysis of various events in the computer in 
order to learn about normal behavior and identify significant 
deviations from the normal behavior (such as for example sending 
out significantly more data than usual, accessing more files than 
usual, etc.). Preferably, especially the programs that have been 
authorized for use of the communication channels (111) are 
constantly statistically analyzed and monitored for suspicious 
deviations from their normal statistical patterns of behavior, so that 
if such a program for example suddenly starts to access significantly 
more files than usual or scan large areas of the disk (even if it has 
been allowed by the u.ser to access areas outside its natural 
environment) or starts to send out unusual amounts of data, it is 
preferably immediately intercepted and the user warned and asked 
for authorization. This is important also in cases that programs start 
to act strange due to their being changed while already loaded in 
memory, for example because of some hardware failure or because 
they were crashed by string overflow (for example accidentally or 
by malicious buffer overflow takeover), etc. Preferably the security 
system can also support more than one user working on the same 
computer with separate statistical information, preferably by keeping 
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separate user profiles. Another possible variation, preferably in 
addition to this, is that the security system preferably also checks at 
least for highly important processes in RAM memory (such as for 
example in Server applications or applications that have been given 
privileges, such as for example permission to access communication 
channels and/or to exceed their natural environments), preferably in 
short intervals, that its code has not changed in RAM memory 
(which can happen for example in cases of bulTer overflow or in 
cases of hostile takeover in memory by another process). This can be 
done for example by checking its COFF format when it is being 
loaded into memory, in order to know where the code segments arc 
and not be confused by changes in the data segments, and then 
preferably marking the code with a highly sensitive checksum. 
Another possible variation is for example making sure at least in 
important applications that their code is always only in hardware- 
protected read-only memory segments. This can be done for 
example by changing their COFF mapping to ensure proper 
alignment of code into separate pages tagged as read-only, so that 
any attempts to change them will cause CPU exception. 

Preferably the Security System monitors as much as possible all 
attempts of software applications to gain direct port accesses to 
security sensitive devices (such as for example the modem and 
network cards (111), hard disk controller, etc.), or to bypass for 
example the win-socket drivers, since such access could bypass the 
operating system. Windows NT for example allows only drivers that 
are installed in ring 0 to access such ports directly, so ordinary 
applications are automatically prevented from doing this, but some 
other versions of windows do not enforce this limitation. Therefore, 
preferably the Security System tries to enforce this as much as 
possible even on systems were it is not enforced. 

During its own installation, the Security System preferably performs 
various checks if various crucial system files are suspicious of being 
infected already, and in that case might for example recommend to 
the user to reinstall the operating system before trying to install 
again the security software. 

In order to solve the security problems created by the existence of 
writeable shared directories such as for example the windows temp 
area, the Security System preferably implements also a new concept: 
Virtual Shared Directories. This way, each time an executable tries 
to access such a shared directory, it will be preferably given the 
illusion that it has accessed it, but in reality, each such executable 
will be preferably redirected to a separate private sub-directory 
which only it can access. Similarly, when executables are accessing 
for example shared keys in the registry, the Security System 
preferably implements also a Virtual Shared-Keys system such as 
for example registered components, etc., so that again, preferably 
the executables arc given the illusion that they have accessed the 
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shared keys, but preferably they arc in practice being redirected each 
to its individual private file of relevant registry keys. Preferably this 
is implemented also for example when a program needs to install 
certain files, such as for example DLLs in system directories. 
Preferably the virtual shared directory is implemented for example 
by giving the program a logical view of the shared directory or lor 
example only some of the files in it, so lhat if the program is allowed 
to sec them it preferably sees the original copy (to reduce 
unnecessary duplication unless needed), but if it changes any ot 
those files, they will in reality be copied into files in the prograrn s 
individual private area and changed only there (This can be regarded 
as an extended implementation of the ''Copy-on-write' prmciple). 
This in combination with the other rules/functions, and especially 
rule no I (about the automatic segregation), can also be described in 
other words as a system of multiple automatic sandboxes, or a 
system in which each program is limited to its own virtual computer 
or virtual environment. Another possible variation is to use similar 
virtual sharing also on other shared resources ot the computer. As 
explained, of course various combinations of the above and other 
variations can also be used. 

To the extent possible, the Security System preferably also tries to 
push the operating system or at least parts of it (such a.s for example 
the installed physical device drivers and/or the device drivers of the 
operating system's inner core and/or any other elenients that can 
allow to gain a similar of control or protection and/or addiliona 
parts), to the extent pcssible. from processor ring 0 (privileged) 
preferably to ring 1 (less privileged), preferably with the aid of an 
additional component that converts all the needed functions to run m 
ring 1 instead of ring 0. However it is more preferable to push also 
the operating system itself or as many parts of it as possible to a 
higher numbered ring since this allows closing also backdoors or 
vulnerabilities in the operating system itself. Preferably, the secunty 
system runs below the operating system and intercepts the operating 
system the moment it is being loaded into memory and transfers it 
preferably to ring 1. Any attempt by the operating system to access 
ring 0 will now cause a CPU exception, and. in order to increase 
efficiency, one possible variation is that the security system 
preferably rewrites on the fiy each such command in the operating 
system code which is running in the computer's RAM to access 
iaslcad the current ring in which it is in (such as for example ring 1 ). 
so that the next time that line of code is accessed in memory, the 
exception will not occur anymore (until the next boot). Another 
possible variation is for example to change at least some ol the 
system files on the disk. This is an additional way to block any 
hidden doors that might exist in the operating system. And of course 
it allows easier control over the access to system resources. 
Although these rings are concepts in Intel processors, similar rings 
or concepts might be used also in other processors. Another possible 
variation is that the operating system itself moves for example all 
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the installed physical device drivers for example to ring 1 , so that 
any attempt to access directly any physical devices, such as for 
example the communications card or the hard disk card, will create a 
CPU exception and then the operating system decides what to allow 
or not. But that means adding various features of the Security 
System to the operating system itself or for example making the 
security system an integral part the operating system. Another 
possible variation is that the physical device drivers and/or the 
operating system or parts of it are for example still in ring 0 but 
there is a special more privileged area (or areas) within ring 0 or for 
example below ring 0 (for example ring -1) which can preferably 
catch all the exceptions caused by the device drivers in ring 0 and/or 
by the operating system and is preferably immune to attempts by 
other drivers or by the operating system to neutralize it or take its 
place. This can be accomplished for example by adding such a 
special privileged sub-area within ring 0 and/or below ring 0 by a 
change in the CPU itself This has the advantage that it can be easily 
accomplished without having to deal with the complexity of pushing 
the operation system to a higher ring. The feature of adding 
additional control below the operating system by defining a special 
sub-area within ring 0 or an additional ring below ring 0, can be 
used also independently of other features of this invention, and 
various elements may be added to this control. Another possible 
variation is that preferably in addition, in order to prevent device 
drivers from accessing devices other then those that they are 
intended to access, preferably each device driver must have a 
definite type indicator (such as for example disk driver, screen 
driver. Network card driver. Mouse driver, etc.), and when a new 
device driver is installed preferably the user is asked specifically if 
he allows the program to install such a driver. And when a driver 
runs and/or during its installation preferably the security system 
and/or the operating system and/or for example a hardware element 
(for example in the CPU itself) preferably checks that is does not 
access other physical devices that don't belong to the type it is 
allowed to access, so that for example a screen driver cannot access 
directly hardware ports of the disk or of the network card or of the 
input devices, etc. However, if the drivers are for example in ring I 
and the security system in ring 0, there is no need for special 
hardware support, since any attempt of the drivers to access direct 
hardware ports will cause an exception and then the security system 
can check if the driver should be allowed to access the device it is 
trying to access. However, if a device driver is limited to a certain 
type of devices, preferably it is also prevented from accessing 
directly other drivers that can access other types of devices, 
otherwise this can bypass the limitations. Another possible variation 
is that at least some device drivers are associated only with the 
programs that installed them or with their Virtual Fnvironments, so 
that for example if a malicious program installs a new keyboard 
driver that changes for example '^yes ' to '*no" and vice versa or for 
example steals keystrokes into a log file for later sending it to the 
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Internet, the only program that can use this driver and thus be 
affected by it is the program that installed it (or for example other 
programs that are within its own Virtual Environment). So if there is 
for example a device driver for an input device, such as for example 
the mouse or the keyboard, (and/or for example an output device, 
such as for example the printer or the screen) which is associated 
only with a certain program, preferably when it is swapped out 
during multi-tasking, preferably if there arc any hardware buffers 
associated with it, they are preferably also copied and cleared, so 
that no trace of it can aft'eci other programs. Another possible 
variation is that the security system or at least part or parts of it (for 
example any of the parts that are below ring 0) become active even 
if the computer is booted for example from a floppy drive or CD or 
network drive or any other source that is not the normal boot area. In 
other words, the security system or part of it is automatically 
activated for example by the BIOS or by the processor itself before 
the normal boot sequence begins. Preferably it is by the processor 
itself (For example if at least a small part of security system or a 
special pointer to it is stored for example in a special ROM area in 
the CPU itself), so that even changing the BlOS's liPROM will not 
prevent it from becoming active. Another possible variation is that if 
the security system discovers for example that the BIOS has been 
compromised or corrupted (for example if it was changed without 
authorization according to a digital signature or starts to behave 
suspiciously), preferably the security system can issue a warning 
and/or restore it from various preferably hidden backups. Another 
possible variation is that when changes need to be made in the 
security system itself - for example updates or bug fixes - 
preferably the user is prompted very explicitly to confirm it and/or 
for example some physical key needs to be physically attached to 
the computer or to any of its peripheral devices (such as for example 
the keyboard or the mouse) during the update in order to allow this 
to happen. Another possible variation is to require for example such 
a key for making changes to the BIOS. Similarly, another possible 
variation is that the security system is also hardware-protected, so 
that it cannot be removed by any software means. This can be 
accomplished for example if it or al lea.st a part of; it is stored on a 
ROM device, and for example the CPU itself will issue a warning 
and/or restore it from various preferably hidden and preferably 
protected backups and/or stop executing any other programs until 
the Security system is restored. These features of safety even during 
foreign boots and/or if the security system was compromised by any 
other means, can be used also independently of any other features of 
this invention. Of course, various combinations of the above and 
other variations are also possible. Another possible variation is to 
enforce the automatic file segregation among programs by 
encryption, so that each program for example can only access files 
or libraries for which it has the access code. As explained, of course 
various combinations of the above and other variations can also be 
used. 
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for example, and the operating system .s usually ^PROMM based, "i a 
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more for business transactions, such as buying from «-<=«"^'^J^«^ ^ 
transferring funds, stock market instructions, etc., the security of sensitive 
Sdc Tuch as for example credit card data and especially pnvae 
en luon keys extremely important. So. for example any attempt to 
aS r private encryption Keys in any way P- ^^^^^^^ 
pemiission from the user. Preferably in these cases the user is also a.sked 
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for a password, which helps for example in cases where the phone is 
stolen. 

4. Any attempt to automatically dial-out or automatically answer incoming 
calls preferably needs explicit permission from the user, especially if 
multiple automatic dials are attempted. This prevents any viruses from 
causing the phone to automatically send messages to various places, or 
from becoming for example a spying device, recording what is going on in 
the room and sending it out without the user's knowledge. 

5. In case of constant open Internet connection, expected for example in the 
3'** generation cellular phones, like in the PC example, preferably no 
program can access the web without prior user pemiission and no 
connection initiated from the outside can come-in without user permission. 

6. Any unauthorized access to additional communication channels, such as 
for example Bluetooth devices also is preferably blocked or has to be 
authorized by the user. 

7. As cellular or mobile or other phones become more sophisticated and 
computerized or for example integrated with palm devices, they may 
contain more and more features typical of ordinary computers and 
operating systems, and then more features of the present sy,stem and 
method may be needed and implemented. 

More technical details are described in the following figures. 

Fig lb shows in more detail a preferred interaction between Security System parts with 
an emphasis on the user interface (preferably graphic user interface) and a preferred 
process of permission granting. As soon as a program (executable) tries to perform what 
is considered by the Security System as suspect or potentially dangerous activity (such as 
for example exceeding the natural environment of the program or trying to access the 
communication channels), the monitoring and intercepting system (102) immediately 
stops the program (1002) and may for example ask the u.ser for authorization or block it 
automatically, and if the user is absent, for example in case of protecting a server, suspect 
activities may be for example either blocked until the user comes back and/or logged 
(770), and such decisions are made for example either according to the various sets of 
security rules (740) and the nature of the suspect or dangerous activity, or by user 
definition. Preferably, for non-highly dangerous activities (1106), the Security System 
gives the user options such as for example to abort the offending program immediately, 
allow only this time, disallow but let the program go on, allow always from now on or 
until a certain event, stop asking completely about similar breaches for this program, or 
stop asking completely about similar breaches for all programs in this directory and it's 
sub-directories. Another possible variation, described later below, is that at least for such 
activities the security system relics mainly on whether the user or the program initiated 
the activity, and thus the security system can for example ask the user less questions or 
no questions if the user initiated the activity, and for example block it or limit it 
automatically if it was initiated by the program. Of course various combinations of these 
variations can also be used. If the suspect activity is related to files, the Security Systems 
preferably asks also if the permission is given only for reading of data or also for 
modifying data, etc. If the suspect activity is related to communication channels, the 
system preferably may also for example allow the user to .specify which channels to allow 
the application to use and what related activities to allow. The examples (in all of the 
figures) are intended to be illustrative and not limiting. Preferably, in order to avoid 
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careless responses by the user, the user is always asked for authon7jt.on m such ways 
that responding without paying attention will always detauU to the least d^gemus 
options Preferably, for highly dangerous activities (1108), such as example 
?otatting a drive! mass deletion of flcs. changing hard disk P^^^" "'♦^^^^^^^ 
changing boot ar«a information, installing drivers in levels close to Jcemel of he 
op^ra^ine system, accessing the high-security areas, or modifying --"^^'f ^^'.^^^ 
outside the natural enviionment of the offending, executable programs (such as for 
exlmple exe and com files, batch files, DLLs, MS-DOC. MS-XLS files, or any other fik 
that might contain executable commands), renaming them, renammg direc ones, or 
chanShc linking of file types with applications that will be run when clicking on 
S etc - the a.ser is warned more explicitly (preferably also with an explanation about 
T^y>l. implications and causes) and/or for example asked to repeat ^^^^^^^^^^ 
twicV Preferably some of these activities ate considered more dangerous than others, so 
r ^ is a hierarchy of potentially dangerous behaviors^ Preferably, this .s m^^^^^ 
cases - even for programs that were allowed by the user to exceed their natural 
Svironment Preferably, when the user is asked for authorization, the secunty system 
a ; mXs ure that no'other programs can enter false answers as if they were ente^d by 
the user through the keyboad or the mouse or any other input device, to example by 
prevem ng other programs (except the allowed relevam input device drivers) from adding 
dl fb e'xample',0 the burter of typed keys in memory and the buffer of -^u^ events 
or for example by using the hooking of all keyboard access and all mouse events to make 
lhat wLver is read for example from the keyboard or mouse is 'd-t.cal m ^^^^^^^ 
in their event buffers or using only the commands that come directly through these 
hook d functions. Another possible variation of this is that the Secunty System f|^eze^ 
aS other processes while it is waiting for the user's reply, for example at l^t for highly 
dangerous activities. Another possible variation of this is that the Secunty System plants 
its own keyboam and mouse drivers instead of those normally m use ho-«ver th« ^^^^^^^ 
be problematic when a non-standard keyboard or mouse is used. Another possible 
variation of this is to use for example a smarter keyboard and/or mouse which uses also 
encryption preferably with a date & time stamp, like in ^''^."''"T" uf 
administrator's computer, as explained below. In addition to this. Preferably the S c^^^^^ 
System also controls access to events and to objects («"ch as for ^''^P'j.f^^^^j .^^^^^^ 
and to the memory of programs such as for example «helI32.dlL user32.dll & t^32.dU 
(which are related to the Windows user interface, for example when using the standard 
open file dialogue box), so that programs don't create false events (such as example 
pressing the OK button even though it hasn't really been pressed) or for examine altering 
by direct memory access the content of the input line that contains the file name. 
Preferably this is done for example by replacing at least part of the Operating System s 
dialogue boxes and preferably intercepting and/or replacing also other c<>'"Pon'="!^^ ^ 
can request input from the user, so that the Security System has more control on what is 
happening in them. Similarly preferably the security system also separates between 
messages and objects at the process level and controls access to messages and preferably 
scans the messages before they can enter the Operating System's message system m 
order to catch for example falsifications and/or unreasonable or suspect messages or 
potentially dangerous messages. Preferably, when programs execute other programs the 
executed programs also have the same limitations as the programs that executed them 
(for example especially being limited to the same Virtual Environment of the executing 
Diottram), and preferably programs are allowed to send OS messages only to programs 
which are running within their own Virtual Hnvironments. Preferably the Secunty system 
replaces at least some of the OS functions that deal with the OS message system, and 
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preferably it attaches to each message an identification that shows if the OS or another 
application is the source of the message, and if it is an application, preferably also the 
identification of the application. Preferably, the Security System allows certain messages 
to be initiated only by the OS. such as for example timer messages, messages that 
indicate various hardware events, etc. This way, for example, only the Operating System 
can send a to program a message that indicates what was read from the keyboard or the 
mouse. These features can be used also independently of any other features of this 
invention. Preferably these or similar methods can be applied also for example in systems 
that allow voice commands. Another possible variation of this is to ask the user also for 
password for at least some of these authorizations, such as for example for highly 
dangerous activities, which is good also in order to decrease the chance that the 
authorization will be given by someone else for example while the user is temporarily 
away. Of course, various combinations of these methods can also be used. Preferably, 
like in the examples given in function 4 in the reference to Fig. I, the Security System 
also preferably identifies if the user or an application initiated a potential security-risk 
command, such as for example accessing a file outside the natural environment of the 
program for a program that still does not have that privilege, and so can for example 
allow more Hexibility and less limitations (or even no limitations) if the command was 
initiated directly by the user than if it was initiated by the application. This can save the 
need to ask the user for confirmation in cases where he himself directly initiated the 
command, for example when it is not a highly dangerous activity, so if the program 
initiated the activity, such as for example trying to exceed its allowed environment then 
the security system can for example block it automatically. If it is a potentially dangerous 
activity, such as for example accessing high security areas (for example as explained by 
the examples above), such as for example accessing an important system data file or 
executable, preferably the user is also asked to verify it to the Security System even if he 
already supposedly allowed it to the perpetrating program for example through a dialogue 
box, or for example the action is simply automatically not allowed and for example the 
attempt is preferably logged. (Another possible variation is that the virtual shared areas 
principle is applied in this case, so that for example even if the user allowed it to the 
program, the program can access in fact only a copy of that file that is copied into its own 
virtual environment. However, this could still be dangerous, since even the copy of such 
a system file might for example contain dangerous information, such as for example the 
user's address book, passwords, directory structure, user privileges, etc. or might have 
access to a lower driver which has much more rights. Another possible variation in this 
case is to limit also the driver if accessed later through the copy of the system executable 
that is in the virtual limited environment of the program, but that might be problematic, 
especially if that lower driver needs for example access to other highly dangerous areas 
for its normal operation). When the user allows for example Netscape to access files 
outside its natural environment, preferably this gives Netscape access right to the selected 
file only during that session, and preferably the Security system does not assume that the. 
user wants Netscape to be able to see the directory where that file resided. Preferably it is 
also not allowed to access even that same file again after closing it, without the user's 
permission. Preferably only by explicit permission to the security system or for example 
explicit change in the Security System's control table, can the user give a program for 
example higher-order rights, such as for example accessing a full directory outside its 
normal environment, or for example the whole computer, which is needed for example 
for programs that need it such as for example Defrag, or virus scan software, or any other 
software that legitimately needs to much more free access to the computer, including for 
example if the user wants to freely run his own compiled programs. But since programs 
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thai arc allowed to access the internet, and especially highly strategic programs such as 
for example Netscape and MSIE, including all of their plug-ins or "helpers", arc 
preferably watched more carefully, as explained above in feature 5 of the reference to 
Fig. I, preferably the user is also explicitly warned by the Security System against givmg 
them access rights outside their natural environments. Perhaps the user won't need to 
give such rights for example to MSIL or Netscape, since it is not needed tor their 
function, but if the user lor example wants to write some scripts that really do something 
with his files and run them for example from Word or Outlook Express or any other 
Office programs, he himself becomes crippled if he cannot allow the script to actually run 
with access to where it has to go. But if he gives for example Word those access rights, 
he might forget to remove them later and then other Scripts can also run with the same 
rights This is as additional reason why the additional safeguards are prelerably also used. 
However, in this particular case another possible variation is that the user can give the 
rights specifically only to the desired script (by allowing it to the Secunty System), 
without having to give these rights for example to Word or Outlook Express, l or 
example even if Netscape becomes later for example compromised by buffer overflow 
attack and even if for some rea.son the security system takes some time to discover this, 
the compromised Netscape will still have very little access rights outside its natural 
environment. And even if for some reason the user has given for example Netscape or 
MSIE access rights outside its normal environment (for example on purpose or 
inadvertently or because he was fooled into it by a malicious process for example during 
the buffer overflow), according the above specifications preferably the additional 
safeguard of identifying highly dangerous activities and/or sudden unusual behaviors will 
spring into action if the malicious code that used for example buffer overflow to enter 
tries to do anything suspicious or highly dangerous. This will not unduly harass the user, 
since by definition unusual or highly dangerous activities are not supposed to happen 
oflen, and if they do happen, there is a good chance that the user will be happy that he 
was asked about it. Also, Preferably the user can choose for example if he wants more 
information and authorization requests from the Security system for example for highly 
dangerous activities, or if he wants for example most or all highly dangerous activities to 
be blocked automatically and preferably also logged. Again, in order to make this 
reliable, the Security System preferably prevents applications from creating the false 
impression as if the user for example typed something on the keyboard and thus initiated 
the command, preferably by use of any of the ways described above. However, the mere 
fact that the user for example typed something on the keyboard or clicked on the mouse, 
and the program did something, does not prove that indeed the user meant for that 
something to happen. For example, a malicious program might send an email every time 
the user clicks on some element in it. but the element says something totally different, .so 
the user is actually being deceived. So preferably the Security System assumes that the 
user himself initiated a command only if he typed it directly at the operating system level 
or for example in a dialogue box. Similarly, if for example the Security System relies on 
the dialogue box of a malicious program and assumes that the user indeed authonzed for 
example accessing a file outside the natural environment and thus does not confirm it 
again with the user, the user might be deceived by the program to think that he is being 
asked something totally different. For example the program during installation might use 
a large list of directories within a small scrolling window and ask the user if it is OK to 
install in a list of default installation directories, but hidden below is also for example the 
directory "C:\My Documents". Or the program might use for example confusing buttons 
or graphics, where -'yes" is really "no" and vice versa, etc. In order to prevent this, 
preferably the Security System disables for example graphic display of questions in the 
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dialog box or imposes other limiiations for programs that use them, or for example asks 
the user in such a case for additional confirmation. In order to prevent for example 
misleading textual questions preferably the Security system uses also at least partial 
semantic analysis of what the user is really being asked, for example by analyzing 
sentence structures or at least significant word combinations and/or for example using 
various rules and/or for example a statistical database of commonly used questions, etc. 
For example in suspicious cases or unfamiliar patterns the security system preferably 
intervenes and asks the user for confirmation, either each time this happens, or for 
example after a few positive confirmations the security system learns that this kind of 
questions is apparently OIC. Another possible variation is that the Security system for 
example guards at least the top line title of the dialogiie box, so the when it is an "open 
file" dialogue box. it will always say so cleariy, and if it is a "save file" dialog box it will 
always say so clearly. This way, even if the user was given a misleading question by a 
malicious program, he can still know clearly if he is being asked to chose a file for only 
Read access, or if the file chosen is about to be written or changed. Another possible 
variation is that, preferably in addition to this, the security system itself keeps a trace of 
which files where opened only for reading, and thus prevents the program from later 
writing into those files. Another possible variation, which is especially applicable if the 
security system is for example an integral part of the operating system itself, is that a new 
protocol is introduced for dialogue boxes, in which for example only the security systems 
runs completely the dialogue box and the programs have to indicate preferably in a more 
structured format, what they want exactly. However, in any case, since a user might 
mistakenly authorize dangerous things even if asked correctly, just because for example 
he is asked many consecutive questions in a similar format and does not pay attention, 
preferably there are always multiple safeguards that can catch the suspicious or malicious 
activities also later, as explained above. Therefore for example if the user made a mistake 
or was deceived into allowing a malicious program to access for example Word.exe and 
the program tries for example to modify the file or insert malicious code into it, the user 
is preferably explicitly wamed about it by the security system even though he supposedly 
just authorized it to the program that is attempting to modify Word.exe, because it is 
considered a potentially highly dangerous activity, as explained above. Preferably the 
user has to explicitly authorize for example compilers to modify exccutables without 
warnings. In addition, preferably highly strategic executables, such as for example 
Word.exe (and preferably also its related files and/or directories), Internet browsers and 
other programs that were allowed to access the communication channels (and preferably 
also their related files and/or directories), compliers, and/or for example any *\doc" file or 
any directories that contain ".doc" files and/or for example source code files and/or 
directories that contain them (and especially for example any directories with the 
standard name of ''my docs"), and/or for example directories in which the '\doc'' files 
and/or the source code files were created by the user, are preferably considered 
automatically by the security system as even more important than ordinary executables or 
files or directories, so any attempts to access them by other programs that are not 
normally associated with such files or directories are preferably reported to the user even 
more explicitly. (Otherwise, for example the user might be inadvertently deceived into 
allowing a program to "install itself into a directory containing ".doc files, and then, 
even if it is implemented by virtual sharing of the directory, all the doc files might be 
exposed to the program and can later be stolen. Or the user might for example be 
inadvertently deceived into allowing a program to "install itself in the directory that an 
email program, such as for example "Pegasus", uses for sending pending emails). 
However, in order to avoid further unnecessary questions preferably the user is able to 
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explicitly associate new programs with such files or directories or tell the Security 
System to stop asking such questions about them. The security system can identify such 
strategic executabics and/or directories and/or files for example by using predefined 
rules, and/or by automatically marking programs as highly strategic according to the 
number and/or types of authorizations Ihcy have (such as or example accessing the 
Internet or accessing multiple directories outside their natural environments), and/or by 
the fact that the user is using them interactively considerably more than other programs or 
files or directories, etc. Preferably the user can also explicitly marie for example certain 
directories and/or for example certain file name extensions as highly protected. So for 
example in case such a highly strategic executable such as for example Word.exe or 
Netscape exe has been changed (for example because the user authorized it to some 
attacking program by mistake even after being prompted by the security system itself or 
for example because some buffer overflow for example in a running thread of Netscape 
allowed ho.stile code in memory to change also the file Netscape.exe on the disk), the 
user is preferably warned about it again, especially for example if the changed executable 
starts behaving differently from normal previous behavior statistics. However, preferably 
the security system will intercept the attempt of the running thread of Netscape to modify 
the disk file Netscape.exe as a suspicious behavior, and ask the user for authorization or 
for example block it automatically. This is very important, since if for example 
"Word.exe ' has been inserted with malicious code, it can either for example start deleting 
directories (which will preferably be intercepted immediately as again a highly dangerous 
or suspect activity), or for example it might start secretly sabotaging only the current file 
that is being edited when the user saves it on exit (or for example sending it out to the 
Internet), in which case it could take the user much more time to find out what is going 
on until huge damage has already been caused. Since highly dangerous activities by 
definition are supposed to occur only rarely, warning the user explicitly is not going to 
bother the user, since in most cases the question will be justified. For example the only 
times Wo«l.exe can be modified are for example when the user installed an update to 
word. Since the user might do this for example only once in a year or two, so he will 
almost never be bothered about it by the security system, and if he is bothered about it 
more often, it means that probably indeed some hostile software is trying to compromise 
Word.exe, in which case the warning is quite justified and the user will be happy that it 
was intercepted. Preferably the user is warned even more explicitly if a change to an 
executable is attempted under suspicious circumstances, such as for example trying to 
modify an executable without changing the date of the file, and/or for example a program 
in memory trying to change its own executable file on the disk, etc. Another possible 
variation is that highly strategic programs such as for example Wofd.exe or MSIE 
(Microsoft Internet Explorer) and preferably any Operating system files, simply cannot 
be changed or cannot run KVHN if the user authorizes the change directly to the Security 
System, unless the update or patch carries a for example digital certificated that proves 
that it is indeed an authorized and unchanged official patch by the vendor who made the 
original program, such as for example Microsoft in this case. Preferably, additional 
definitions of highly dangerous activities may be easily supplied as an update. However, 
in Older to avoid issuing multiple warnings for example while a program is installing 
itself, preferably the Security System can handle it smartly as a continuous action within 
the same context. Also, when a new program installs itself, preferably the security system 
records which files arc created by it, in order to be able to identify more easily its 
associated files even when they are in other areas. Preferably the Security System also 
analyses during the installation the imported functions in shared DLLs of the program in 
order to try to anticipate the behavior of the program and its needs. So preferably the 
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Security System is installed as soon as possible after the operating system is installed, 
before other applications. (However, as explained above, the Security System can work 
also for applications installed before it). Also, in order to make this more efficient in 
organizations, preferably one computer can be used for example for learning all of the 
segregation rules and various environment parameters for each program and this 
knowledge can be transferred to all the other computers in the organization, regardless of 
the order in which the applications are installed in the other computers. Like the 
examples given in function number 4 in the reference to Fig. 1, If the user is for example 
an organization and the organization wants for example to allow the system administrator 
to control some or all of the important authorizations, or all of the authorizations, or for 
example all the potentially highly dangerous activities, then preferably various or all 
requests for authorization can be for example referred by the Security system directly to 
.the system administrator instead of or in addition to asking the employee that works with 
the computer, or for example automatically blocked unless they fit with pre-defmed 
pemiissions by the administrator (that can preferably be easily updated by him whenever 
needed), by methods like tho.se described in the relevant examples given in function 4. 
Also, preferably various information such as for example parameters or suspect behaviors 
learned on one or more computers can be transferred to other computers, preferably only 
after authorization by the administrator. Preferably all communications with this 
authority (such as for example the administrator's computer) are secure and encrypted 
and preferably include also an exact time and date stamp, in order to prevent malicious 
programs for example from trying to send false authorizations or reuse old authentic 
authorizations for generating false authorizations. Also, preferably this communication 
uses special protocols of the security system instead of the normal network device drivers 
and protocols of the operating system. Preferably, this can enable also in practice general 
policy enforcement, so that for example the organization can decide and enforce very 
easily for example that only a certain set of programs may be run on all or on certain 
computers, or only certain actions are allowed on all or on certain computers, etc. The 
various options or variations can be regarded as various possible embodiments. However, 
some of them can be made available for example as separate products, or for example as 
various options within the same product. Preferably on each computer in an organization 
the level of control given to the employee versus the control for example by the system 
administrator can preferably be set independently for each computer in the organization. 
Of course, various combinations of the above and other variations can also be used. 

A preferable way of viewing and/or modifying the database of authorizations is for 
example in the form of a table which lists the names and preferably various identification 
marks of applications allowed to access communication channels (and preferably 
possibly also a list of which channels), or to exceed their natural environments, or to have 
any other privileges which normal applications do not have by default, and lists which 
such privileges they have been given. Some activities might remain unallowed to any 
applications, such as for example trapping the keyboard device in order to catch 
keystrokes. Preferably this table includes also various statistical data about the behavior 
of each program, as explained before. In an organization where most control is in the 
hands of the system administrator, preferably the security system installed on each 
computer still runs a similar table and maintains a similar database, however the system 
can limit what the employee can change without the administrator's authorization. In 
such an organization, preferably on the administrator's computer this table contains also 
additional information and controls, such as for example the list of computers connected 
to the system within the organization, preferably with a unique identifier to each 
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computer, and preferably with additional statistical information on the behavior of each 
computer in the list, so that preferably the system can automatically alert the 
administrator for example whenever a computer in the system star^ to dev'ate 
significantly from its normal behavior, such as for example """sual disk actm^^ 
unusual communications activity. Such dau is preferably also logged, freferab y the 
communication between the administrator's computer and the employees ^^mpuX^ xs 
encrypted and secure. Preferably, in addition to this, the Security System on he 
administrator's computer constantly sends short communications at short mterva s to the 
other computers in the system in order to be able to notice qu.ckly for «^ample 'Hhe 
Security System on any computer has been damaged or disabled J»referably, this short 
communication can contain for example special codes with different keys for each 
computer, so that only an active Security System can respond to it properly and so that a 
different response will come from a working computer where the Security System has 
been disabled or is not working properly (including for example if the computer was 
booted from a diskette instead of the hard disk), and no response from a computer that is 
turned off for example. Another possible variation is that preferably, in addition to this, it 
the computers in the organization are configured to access the web tor example only 
through one (or more) central gateway computer (which might be the administrator s 
computer, or a separate computer), as shown in Fig. 13 (so that for example each normal 
computer in the system does not have an independent modem and only has for example a 
network card), this might be used as an additional control for catching backdoore tha 
might exist for example even in the operating system itself: In this case, pi^lerably all 
communications are routed also through the administrator's computer and the Security 
System on each computer preferably reports to the Security System on the administrator s 
computer all the time or at preferably short intervals for example how much data it has 
allowed to be sent out from the computer's communication channels, so that the ^cun y 
System on the administrator's computer can preferably notice and intercept immediately 
or aflcr a short interval communication attempts from computers where the amount ot 
actual communication does not fit the amount reported by the Security System ot that 
computer. In order to find how much data has been actually sent by each computer, the 
Security System on the administrator's computer can for example check the packet 
headers by itself or use for this for example the services of the network firewall on the 
gateway computer if such a firewall is being used, or use some other routing information 
to know fVom which computers the data is coming (such other routing information, for 
example by letting each communication card add its own unique stamp to the data after it 
leaves the computer, or by other hardware features of each line, is preferable since the 
source addresses in packet headers can be easily falsified for example by hostile Trojan 
applications that send out .stolen data. If the communication cards adds its unique stamp, 
preferably it also checks and removes any such stamps that come from the computer in 
order to avoid falsification, or for example the gateway or the Secunty System on the 
administrators computer can discover such falsification because it will cause redundant 
stamps). This feature is very important and can be used aLso independently of other 
features to find cases where the actual amount of data sent-out does not fit the amount 
reported, even for example the amount reported by the dialer of the operating system. 
Another possible variation is that the security system of each computer preferably reports 
to the Security System on the administrator's computer (or for example on the gateway) 
in addition to this also additional data identifying the packets that are being sent out. such 
as for example special CRCs or various statistical characteristics, m order to prevent for 
example a ca.se where a hidden backdoor (or Trojan that managed to slip through the 
Security System) blocks exactly the same amount of legitimate outgoing data while 
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sending the same amount of stolen data so thai the total amount of data sent out does not 
change. If a hostile Trojan application will for example falsify the source address of each 
packet (for example in a version where no additional hard routing information is 
available), then the central Security System will either see an illegal source or some other 
source computer will thus be attributed the additional data, and with the above additional 
feature the statistics or CRC can also help to pinpoint more easily the computer which 
has been taken over. Another possible variation is that, instead of or in addition to the 
above, the Security System of each computer preferably also encrypts the outgoing data 
packets (or at least their statistics or CRC data or other identifying data or fingerprints or 
a redundant copy of such data) with a unique identifier for each computer and a special 
signature (preferably also with a time & date stamp which preferably also changes all the 
time), preferably like in all the secure control communications with the Security system 
of the administrator's computer, and the Security System on the administrator's computer 
or the gateway decrypts the data and allows it to pass only if it is legitimate and thus can 
discover immediately when some illegal communication is happening. Another possible 
variation is to use for example the IPSEC protocol for the communication between each 
computer for example to the gateway and/or administrator's computer, in combination 
with control information of the Security System that describes at least the amount of data 
that is sent out each time, so that no packets can be changed or replaced with other 
packets or replayed. In this case, preferably VPN (virtual Private Network) and IPSEC is 
required for communications within the internal network, and preferably the gateway 
computer opens it. This way, the IPSEC and all its negotiations arc done by the Security 
System, and thus attackers cannot use the communication interface below without having 
to go through the Security System for communication. However, in order to enable the 
checking of mismatch between what was sent and what was received, preferably the 
security systems is able to monitor and take into account for example re-broadcasting of 
presumed lost packets in the socket layer. Of course, more than one administrator can 
exist. Another possible variation is to use for example for each computer (or each group 
of computers) a modem or network card or other communications device (111 in Fig 1) 
capable of monitoring at least the amounts of data sent out so that this communication 
device can preferably report back to the Security System of the computer how much data 
actually went out, so that preferably the communications can be immediately blocked and 
an alert issued if the amount ofactual communication does not fit the amount reported by 
the Security System of that computer. (Preferably the blocking in this case is done by the 
Security system, however another possible variation is that it can be done also by the 
communications device itself, or by the administrator's computer or the gateway 
computer in organizations where all the traffic goes through them). This has the 
advantage that it can be used also for single computers or small groups of computers that 
don't use central control, however it could be used also in organizations with central 
control. Again, this is important and can be used also independently of the other features 
of this invention to find cases where the actual amount of data sent-out does not fit the 
amount reported, even for example the amount reported by the dialer of the operating 
system. Another advantage of this is that there is no problem of falsifying the origin 
addresses in packet headers, since all packets that reach the modem or network card come 
from a single computer coupled to it. Additional variations can also be used here like 
those described above in the case of these checks being done at the gateway or 
administrator's computer. Preferably if such a communication device is used, it has a 
firmware that cannot be changed by software but only by physical replacement, in order 
to reduce the chance for hostile takeover of this device itself, and preferably the 
communication device is also capable of generating automatically various reports on 
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outgoing and/or incoming data and preferably the security system makes sure that no 
other applications can interfere with the device driver of the communication card and 
thus mess with these reports. Another possible variation of this is for example reporting 
similarly also how much data went in. Another possible variation in organizations is that 
reports about such cases of incongruities are reported automatically by these 
communication devices also (or instead) for example to the system administrator. Ol 
course, various combinations of the above and other variations can also be used. 

Fig. 2 shows a preferable method for monitoring, checking and authorizing access to 
hooked functions that are called due to a disk related action (201 ) (such as for 
example file open, tile read, file write, file change, disk read, disk write, disk 
format, etc.). Preferably the function is tunneled to the proper method of 
access (202) (read, write, query, etc.). Then the Security System retrieves 
caller s identity (203). retrieves its relevant information from the database 
(700). if needed, and retrieves the required file action parameters (204) (such 
as file name, path name. etc.). The parameters are tracked (211) and, if 
needed, relevant parts are stored in database (700) for further use (for example 
for statistics). If needed, an access to rules settings in the database (700) is 
made i6 check whether the current action is permitted, and the answer's origin 
is authorized to prevent hacking of the Security System (207). (For example, if 
the program tries to access a file within its own directory or subdirectory, it is 
not necessary to access the database). Also, preferably the Security System 
can take into consideration also if the action was initiated by the user or by the 
application, as described in Fig. lb. If hacking was spotted, the Security 
System preferably proceeds to special termination process (1001). If origin of 
answer is authenticated as coming indeed from the database, the Security 
System performs a check whether the action is permitted. If not, the Security 
System can for example ask permission from the user, or terminate the 
process, or tell it that something does not exist, or tell it that the request has 
been done (without actually doing it), or do the above things if the user has not 
agreed, or choose other actions, preferably depending also on the amount of 
visibility wanted by the user (1002), and if authorized it passes on the 
parameters to the original hooked function (212), and, if needed, the databa.se 
is updated with the new authorization. Also, it should be noted that this and 
the other figures, and especially the Howcharts are just general examples, and 
various steps can for example change or be in a different order. In this and 
preferably also with other types of hooked functions, preferably the security 
system also prevents applications from accessing directly lower level 
functions that can access devices, so that for example in case of disk access, 
applications are also prevented from accessing directly the lower level file 
system of the kernel or the actual device driver that physically acces.ses the 
hard disks (and preferably similarly with device drivers that can access other 
storage media). Preferably this is done for example by hooking also the lower- 
level functions and preventing for example calling them not through the 
normal kernel interface. 

Fig. 3 shows a preferable method for monitoring, checking and authorizing access to 
hooked functions that are called due to a communication related action (301) 
(such as open connection, close connection, send, receive, etc.). Preferably, 
the function is tunneled to the proper method of access (302) (send, receive. 
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etc.). Then the Security System retrieves caller's identity (303), retrieves its 
relevant information from database (700) and retrieves required 
communication action parameters (304) (such as handle id, address, protocol, 
etc.). The parameters are tracked (311) and, if needed, relevant parts are stored 
in database (700) for further use (for example for statistics). Also, preferably, 
when possible, the Security System can lake into consideration also if the 
action was initiated by the user or by the application, as described in Fig. lb. If 
needed, an access to rules settings in the database (700) is made to check 
whether the current action is permitted and the answer's origin is authorized to 
prevent hacking of the Security system (307). If hacking was spotted the 
Security System preferably proceed to special termination process (1001). If 
origin of answer is authenticated as coming indeed from the database, the 
Security System performs a check whether the action is permitted. If not, the 
Security System can for example ask permission from the user, or terminate 
the process, or tell it that something does not exist, or tell it that the request 
has been done (without actually doing it), or do the above things if the user has 
not agreed, or choose other actions, preferably depending also on the amount 
of visibility wanted by the user (1002), and if authorized it passes on the 
parameters to the original hooked function (312), and, if needed, the database 
is updated with the new authorization. In this and preferably also with other 
types of hooked functions, preferably the security system also prevents 
applications from accessing directly lower level functions that can access 
devices, so that for example in case of network access, applications are also 
prevented from accessing directly the actual device drivers that physically 
accesses the communication channels (and preferably similarly with device 
drivers that can access other storage media). Preferably this is done for 
example by hooking also the lower-level functions and preventing for example 
calling them not through the normal kernel interface. 

Fig. 4 shows a preferable method for monitoring, checking and authorizing access to 
hooked functions that are called due to a registry related action (401) (such as 
for example read, write, change, etc.). Preferably, the function is tunneled to 
the proper method of access (402) (read, write, etc.). Then the Security System 
retrieves caller's identity (403), retrieves its relevant information from 
database (700) and required registry action parameters (404) (such as key, 
value, etc.). The parameters are tracked (411) and, if needed, relevant parts are 
stored in database (700) for further use (for example for statistics). An access 
to rules settings in the database (700) is made to check whether the current 
action is permitted, answer's origin is authorized to prevent hacking of the 
Security System (407). If hacking was spotted the Security system preferably 
proceeds to special termination process (1001). If origin of answer is 
authenticated as coming indeed from the database, the Security System 
performs a check whether the action is permitted. If not, the Security System 
can for example ask permission from the user, or terminate the process, or tell 
it that something docs not exist, or tell it that the request has been done 
(without actually doing it), or do the above things if the u.scr has not agreed, or 
choose other actions, preferably depending also on the amount of visibility 
wanted by the user (1002), and if authorized it passes on the parameters to the 
original hooked function (412) and, if needed, the database is updated with the 
new authorization. 
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FiB 5 shows what preferably happens when any executable files are being ^o^<^foT 
exTution (501) by the o^^raling system. The S-my System 
abtiul it and checics it before it actually starts running. Furthennore the 'Uc is 
bdng Iccessed in an earlier phase (see f,g. 2) when the Se-nty System 
Sits the access to the file (for example, if format.exe was demed .t won t 
^rh this phase) as ii is being accessed before loading into memory (see Hg^ 
2) The Security System preferably tracks file parameters and relevant data 
? 02) (such as for example process id (PID). threads, allocated -emory eicO 
for further use, stores them in the database (700) if needed, and passes on the 
parameters. 

Fiu 6 shows a preferable method for monitoring, checking and^"»!'<^"f!"S acc«s to 
Iked functions that are called due to a memory related action (601) (su h as 
for example read, write, etc.). Then the Secunty System retncve caHer^ 
identity (602). retrieves its relevant information from database (700), gets its 
parts (libraries, etc.) and its self-allocated memory (Phys-c^K vmual etc 
(603) and checks if the process exceeded its memory borders (604). If it 
exceeded it the Security System can for example ask permission from the 
S:™inate the prLss. or tel. it that something ^- -t -st^^ ^^^^^^ 
that the request has been done (without actually doing .1). or do the ajx vc 
hings if the user has not agreed, or choose other actions, preferably depending 
^Zn the amount of visibility wanted by the user ( . 002). ot^e-se .t 
on the parameters to the original hooked function (605). Preferably this fea^ur^ 
is implemented to the extern possible since its implementation may be limit^ 
or ^^tally limited on various operating systems. The optional additional 
hardware described in fig. 8 might also be useful in this context if needed. 

Referring to fig. 7. we show preferable main parts and methods of a Security System 
itabai. The database or parts of it are located in computer s memory and n 
stoiace media Any access to the database is encrypted (701) and its origin 
Ser(702). The authentication is checked (703) and if hacking was 
spotted the program preferably proceeds to special termination P^oce^ 000 )^ 
If the access is authenticated the database may set or retrieve infomiation 
(704) from or to the records (740) which preferably contain statistics records 
75 1 Process ID (PID) records (752). additional records (760) log of activity 
770) and Security rules (740) which preferably contain mfo such as for 
example file records (741), Network records (742) and Registry records (J43). 
Each group of the oilc records preferably contains the following mfomiauon 
acquired user's rules, pre-distribution acquires rules, default rules and vanant 
parameters (as described above). If the request is for storing 
request is perfomied and returned to caller (706) (one o. the Secunty Systern 
inner functions). If the request is for retrieving infomiation, he fonowing 
preferably occurs: The database keeps track of statistics and analyz^ (707). If 
die Security System spots any suspicious deviation in activity, the answer 
returned to the caller function is negative and the appropnate explanauon 
passed through (710) (this action is performed when handling infomiation tha 
is not inner Lurity database such as for example PlD-752, etc.). otherwise it 
returns the answer that was retrieved from the database (709). 
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Referring to Fig. 8. another possible variation is that the Security System may also 
include an optional hardware element (800) which gathers (804) and/or logs 
(805) monitored hardware port accesses (803). DMA (801). IRQ (802), etc. 
Preferably the monitoring hardware mainly monitors access to storage devices 
(especially haixi disk controller) and access to network devices (such as for 
example modem, network cards, etc.). Preferably, the monitoring hardware 
has an interface (811) for transfer of information from the Security System's 
software (104) to said hardware clement (800) (such as for example through 
accessing read and/or write ports in said hardware clement (800)) and for 
immediate feedback to the Security System's software (104) (such as for 
example through accessing read and/or write ports in said hardware element 
(800), through interrupts, etc.) so that it can alert the Security System's 
software (104) to any events that have been defined in the built-in local 
database (806). The comparison of events between the software monitoring 
and the hardware monitoring can preferably be done by either the hardware 
elemem (800), by the software part of the Security System (104) or by both. 
When either the hardware element (800) or the Security System's software 
decides that unknown access has been made to the above monitored hardware 
without apparent corresponding event on the top system level as monitored by 
the Security System software (104). the event is intercepted and reported. 
Monitoring and catching these events enables the Security System to further 
close any remaining loopholes in the operating system and programs that may 
override agents hooking, and ultimately even catch and intercept even 
backdoors in the operating system if they exist. 

Refen-ing to Fig. 9, we show an overview of a preferable self-preservation method. 
Any Security System part that is being called (901) performs a regular check 
every defined time (902) for all Security System files integrity (903) and its 
running functions' (as described in fig. I) integrity (904). If a deviation is 
found (905), it preferably informs the user for full understanding of the 
situation and performs a Self-preservation interception and report (1001). In 
addition to this, in order to protect itself in memory, preferably the security 
system defines a part of the physical memory so that no other process can 
access it except by using a limited number of calling gates (such as for 
example when calling one of the hooked functions), and any other attempt to 
access this memory area for example for reading or writing causes a CPU 
exception which transfers control to the Security System. Since the Security 
system can know from this which application tried to "attack ' it. the security 
system preferably initiates "anti-hacking" measures, such as for example 
disabling the attacking part of the process, terminating the process, destroying 
the process's environment, etc. 

Referring to Fig. 10, we show a preferable method of the interception process. It 
preferably contains two major interception routes: The first is a normal 
interception (1002) - it is used when an executable tries to perform an 
unauthorized activity. In that case it can for example notify the user ( 1 1 0 1 ) (as 
described above), blocks the parameters from reaching the original function 
(1006). and can for example inform the original caller (the program that 
requested the function) about ftinction failure. The second is a Self- 
preservation interception (1 00 1). It is used when the Security System detects 
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an intrusion of any kind by an offensive program or a hacker. In that case 
preferably it terminates the offensive program immediately ( 1 007) (such as for 
example unload from memory, etc.) (Method of termination may be different 
from operating system to another), and the Database (700) is modified so it 
marks the oft'ensivc program and/or its files accordingly (1009) (such as for 
example not allowing the access to them, etc.). A self-check is being 
performed (900) (as described in fig. 9) and if the Security System is 
endangered (1010), it starts Survival emergency procedures (1011) (such as 
for example reinstall, shutdown parts, reload, etc.). If not, it continues 
monitoring (1010). Although it may seem from the diagram that in certain 
cases there might occur endless loops, this is not the case in reality, it only 
seems so because the diagram is simplified. 

Referring to Fig. 11, we show a graphic illustration of a preferable way in which 
processes may be segregated and controlled. Whenever a process (1111) 
attempts to access other processes or their natural environments (1113) or 
possibly important system resources (1114-1124), it has to go through the 
Security System's interception and decision engine, so that practically a 
virtual environment or virtual computer (1112) is created around it. However, 
it should be noted that this graphic illustration is ju.st a possible example. Not 
all of these functions arc necessarily implemented, however, preferably, most 
or all are implemented. (Category 1122 - other - refers to other possible 
resources that may be relevant for example in other operating systems or other 
CPUs, or for example other devices or other virtual environments). A more 
extreme possible implementation of this concept (as illustrated also in Fig. 12) 
is for example that every time a new program is installed, it is given the 
illusion that nothing else exists on the computer but itself and the operating 
system and the computer resources (For example software and hardware) that 
it is allowed to see, so that only the user and certain programs such as for 
example the relevant parts of the Windows directory explorer and privileged 
programs given special explicit permission by the user or by predefined rules 
can see the real directory structure and resources. Preferably these permissions 
can be given either at the level of an entire program, or for example at the 
level of segments or parts of the program, so for example the part of explorer 
that deals with the screen does not need to be given permission to access the 
directory system. This can further limit for example the extent of damage that 
can be caused by various exploits. This way, it is like an infinite set of new 
installed computers, each with a clean and new operating system, and each 
computer runs only one program: For example, one runs Internet Explorer, a 
second runs Windows Word, a third runs DOOM II, and so on. However, as 
^ explained for example in function no. 1 of Fig. 1, of course more than one 
program can share the same Virtual Environment, since more than one 
executable can be in the same directory. For this implementation preferably 
the Security System is the first thing installed after the operating system, and 
the security system preferably relies mainly on identifying if the user or the 
program initiated each security-sensitive action in order to decide 
automatically if to allow it or not, as explained in the reference to Fig. lb. This 
way preferably the amount of nagging to the user is reduced to the minimum. 
However, this still preferably involves additional safeguards, as explained for 
example in the references to Figs. I & lb and in other sections. So since the 
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user can see the entire directory structure (or for example at least the allowed 
parts of it if he has less than root privileges) and the program can only sec its 
own VE (Virtual Environment) unless explicitly given additional rights, 
preferably all of the actions initiated by the program are automatically limited 
to the scope of its own VE. As explained in the reference to figs l&lb, 
preferably the VE contains mainly its own directory with its sub-directories, 
but preferably the program or programs in the VE can access also essential 
non-strategic OS directories or files, preferably for read-only, and if they try to 
change these files, preferably the file that needs to be changed is copied to the 
VE and changed only there. However if we take this to the extreme, it creates 
the problem that when the user tries for example to run an anti-virus scan 
program or any other program that needs access for example to the entire disks 
or at least to other directories in order to do its work properly, the program 
will be able to scan only the scope of its limited VE, and the user might not 
even notice that the program actually didn't do its job. So, again, preferably 
there is a mechanism that allows the Security software to ask the user about it 
and/or at least a mechanism that allows the user to explicitly give these 
programs the additional access rights that they need, as explained in the 
reference to Fig. lb. Another problem is that some programs that can access 
the Internet, such as for example MSIE, Windows Media player, and others, 
may behave like integral parts of the operating system or at least might already 
be installed automatically during the installation of the operating system itself 
Therefore, in order to i,solate them into their appropriate VE's, preferably the 
Security system uses various heuristics in order to define the boundaries of 
their VE^s, and/or for example uses predefined rules. These heuristics can 
include of course automatically limiting them by default to their default 
directories and subdirectories, as explained for example in the reference to fig. 
1, and for example limiting their access to needed DLLs that are in appropriate 
System areas, to Read-only access. For special programs such as for example 
Microsoft Word and/or other Microsoft Office programs (which are dangerous 
also because they can access critical or secret user data files and because they 
can also access the internet and because various exploits have already been 
used on them in the past), preferably predefined rules are used anyway, even if 
they are installed after the security system, because they behave in many ways 
like an integral part of the operating system after they are installed and 
because they can show some behaviors that would be considered highly 
suspicious if a normal program performed them. For example, when Word is 
loaded, it can quickly access multiple directories, even in other drives. 
Preferably such behaviors are analyzed in advance for creating the predefined 
mles about them, since such behavior might for example be used for spying 
purposes or for causing damages, if for example some Internet exploit (such as 
for example some buffer overflow) manages to take over Word. However, 
since Word is running in its own VE and therefore cannot see any directories 
and/or resources other than the resources it is allowed to see, the scope of such 
scanning behavior is automatically limited anyway. On the other hand, lets 
consider for example what happens when Word is being installed: Since 
''C:\My Documents ' is created by Word itself and it can even insert various 
files in it then, it could normally be interpreted that this directory is part of its 
VE, so it can ft*eely access any ".doc" files it likes in this directory. Now 
consider for example what will happen if Word (which can also access the 
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inicmct) is compromised for example by buffer overflow or for example by an 
expioil using unsafe active-x and then immediately deletes for example all the 
" doc" flics. Of course it can do it because it is in its own VE. Or for example 
the compromised Word process in memory changes for example the disk copy 
of Word.exc. which is within its VU, and inserts for example a slow Trojan 
horse which for example secretly sabotages each file as it is being saved (as in 
the example given in the reference to Fig. lb), or for example deceives the 
user into giving it additional access outside it own VE. This is another 
example why preferably additional safeguards are also used." as explained m 
the rcfs to Figs. I & lb. Apart from for example preventing such changes in 
execulables, another possible variation is for example that after an installation 
of a program has finished in its VF. any further changes to files m this VE are 
automatically copied to another sub-VE or related VE or child-VE whichis 
preferably subject to even more limitations than the onginal VL. ine 
connection between such related VEs can be for example through pointers 
(preferably reciprocal) and/or table of relations and/or thmugh encryption. Ot 
course, if the Operating System allows various authorizations to diHerent 
users, such as for example root user and normal users, the vanous VEs are 
preferably limited also within each user space. Another possible variation is to 
decide for example by predefined rules or by stricter VE rules, that Word 
cannot even access directly or see any ".doc" files that were saved by l^hc user. 
However even this is not safe enough without the additional safeguards, since 
Word tor example saves many copies of ".doc" files in temporary files, and 
since this saving is initiated by Word itself, these files are within its own Vb. 
So now if Word for example becomes compromised for example by butler 
overflow, the hostile code might for example make it send out on the Inteniet 
all the temporary doc files it can access. And like in the above example, 
without the additional safeguards, the hostile code can still for example change 
the disk copy of Word.exe and start sabotaging each time the current .doc 
file. In addition, this implementation still has the same problems as discussed 
in the reference to Fig lb, that if the user wants to run for example m any ol 
the Office programs Scripts that can really affect other files, he needs to be 
able to give these programs or at least these scripts additional access rights. 
Another possible variation is that when a new program is bemg mstalled the 
user has the option of choosing for example new Vli (Virtual Hnvironmenl) 
for that program (preferably this is the default), or for example allow it to 
become part of an already existing VE. so for example if the user is sure that 
this is indeed a legitimate update of Word, he can allow the update to update 
and/or inherit all the current VE of Word, or for example allow it to have free 
access to the entire computer, if for example the user is sure that he is indeed 
installing now a Windows update for example from an original Windows CD 
or for example a system update or security patch that he has downloaded 
directly from Microsoft. So if for example the user installs an anti-vims 
program that needs to be able to scan the entire disks, he needs to install it at 
the highest level. But this, again, leaves the user vulnerable to installing by 
mistake programs at the highest access level that should not be there (for 
example a malicious program that pretends to be an anti-virus program), so, 
again, the additional safeguards are preferably also used. And also, preferably 
the user is able to correct mistakes for example by moving such a program 
back into a limited VE. Another possible variation is for example not to ask 
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the user anything or almost anything and rely mainly on the VEs, and 
preferably also on additional safeguards, so that for example preferably at least 
some potentially highly dangerous activities are automatically blocked, even if 
the user apparently authorized them to the perpetrating program (or for 
example some arc automatically blocked and some are decided by asking the 
user). (Another possible variation is to rely for example only on the VE and 
thus not ask the user for example about Internet access by programs that arc 
limited in their VE and have not been given any additional access rights, but 
this embodiment is less preferable, since it would enable for example a 
compromised Word.exe to send files outside without permission, or a Virus 
for example to further propagate itself, or for example a zombie program to 
participate in a DDOS attack (Distributed Denial of Service), or a malicious 
program for example to simply take over the Internet connection and for 
example waste or block most or all of the bandwidth). However, If the user is 
an organization, then for example the system administrator might have much 
more control, for example as described in any of the relevant variations in the 
reference to Fig. lb. In that case the Sys admin can be for example the only 
one who authorizes programs to be installed with access rights outside their 
normal VE, and then there is no need for the Security to tell the individual PC 
users for example if a program cannot function properly since it is trapped in 
its VF. On the other hand, since the administrator might also make mistakes or 
his computer might be for example compromised, preferably the additional 
safeguards arc still applied for each computer for example when programs that 
have higher access rights try to do highly dangerous or suspect activities, or 
when the user gives such access rights to programs (for example by mistake or 
on purpose) for example through the dialog box. However, as described in the 
reference to Fig. lb, one of the possible variations in this case is that all the 
warnings arc for example sent to the System administrator's computer, and 
preferably only he can authorize them or not. If shared drives arc allowed for 
example in a network, preferably either only the user is allowed to access files 
on shared drives on other computers, or for example each program is allowed 
to see and access in each shared drive only the same VE that it has on its own 
computer, so that for example it can sec only corresponding subdirectories on 
the other computers. Another possible variation is that it can see the 
corresponding subdirectories only on shared drives that have the same drive 
letters as the drive or drives on which its own VE resides. As explained above 
in the reference to fig. lb and in function 9 of the reference to Fig. 1, 
preferably when a device driver attempts to be installed, the user or the 
administrator is explicitly asked about it, and preferably additional limitations 
arc also used, such as for example limiting each device driver to only one 
specified type of device or devices, and/or, associating at least some device 
drivers to only a certain program or VE. Since device drivers that handle for 
example the storage media (and especially the hard disks), device drivers that 
handle the computer's memory and device drivers that handle the 
communication channels, are typically the most strategically important, 
preferably the user is wamed more explicitly about attempts to install such 
drivers, and/or for example only the administrator is allowed to authorize 
them, and/or for example such drivers can only come with the operating 
system itself and/or for example they are replaced by drivers supplied by the 
security system itself In device drivers that can access directly for example 
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the hard disk or the RAM, of enforcing segregation might be problematic, 
since by their very nature they can be used to by-pass the segrega ion rules^ 
Hovwver. if for example some new game is willing to run only with its own 
screen driver, preferably, such driver is allowed to be used only 7*'" 
of that game. If this screen driver is indeed limited to access only screen 
and cannot leave for example side effects that can affect ^^^er progranis whiU 
swapping out during multi-tasking, then there can be also en^bodiments wtere 
there is no need for permission from the user to install such device drivers. 
Another possible variation is that even for example drivers that go the disk can 
be as.sociated with a certain VE. so if they are for example in ring 1 and the 
security system in ring 0. the security system decides which actions to allow 
them to perform accoixling to the definitions of their VI: Another possible 
variation is that no application is allowed to install any drivers that access 
directly hardware elements, bul only drivers that call the actual hardware 
drivers. Another possible variation is that for example no applications are 
allowed to install any drivers at all. since this is needed only in rare occasions. 
Another po.ssible variation is that for example only device dnvcrs supplied by 
the operating system itself and/or duly certified and digitally signed device 
driven that have not been changed since the certification are allowed, and no 
application is allowed to install any other device drivers, or at lea.«;t any device 
drivers that can access for example the storage media, the memory or the 
communication cards. Of course, various combinations of the above and other 
variations can also be used. Since all new programs are installed in their own 
VE (except when explicitly requested otherwise by the user), it bcconies^ very 
easy to undo (or at least remove) any installation that has gone bad. tor 
example because of some bug in the operating system or in the program or 
because it is a malicious program. So the user can very easily request an undo 
of the installation. However, if the user requests the undo after additional 
programs have been installed who's VE is for example based in part on the 
previous VE, then preferably either they are removed too. or lor example he 
security system is able to automatically restore them after removing the 
problematic program with its VE. Another possible variation is that even if the 
user for example allows a newly installing program to inherit or overwrite an 
existing VB, the security system preferably first creates a virtual private 
environment copy of the modified directories (like described for example in 
Feature number 8 of the reference to Fig. 1), at least for a certain period, so 
that the user can preferably still request to undo this if he made a ""stfl^e; a* 
least for a certain period. After this period preferably for example the VE 
limitations can be lifted or this VE is merged with the intended Vb. Another 
possible variation is that the security system backs up all the changed li es or 
directories at least for a certain time and/or keeps for example a rollback log 0 
all changes that were made to the relevant files and directones or even of all 
changes anywhere in the disk, in order to enable the undo if the user needs it. 
Another possible variation is that even when the user allows a program to be 
installed without VE limitations, any changes in the entire hard disk after or 
during the installation, are completely undo-able at least for a certain time 
period. This is more comprehensive than the current "undo" feature that 
Microsoft offers after installing new software, since the current features only 
allow restoring the registry and sy.stem files, and even that not always 
completely, whereas any other changes to directories or files cannot be 
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undone. An even more extreme variation is that for example any changes at all 
that happen on the hard disk (and possibly even on other connected media) at 
any time are completely undo-able at least for a certain time period, in a way 
similar for example to the undo feature in a single Word document. This can 
be enabled for example by creating a backup of each changed file or directory 
in another area at least for a certain time period or until for example the 
backup buflcr becomes full and older backups have to be deleted 
automatically. Another possible variation, which saves much more space, is 
for example to keep preferably a rollback log of all changes for example of 
directories, files, FA T areas, and/or any other data (such as for example even 
any low-level changes in disk tracks), so that any changes that were made on 
the storage media can be rolled back by simply tracing back the log of 
changes. Preferably this rollback log is based on a circular buffer. Preferably 
this log is encr>'pted and is highly guarded and/or is kept also in more than one 
place, in order to reduce the chance of its destruction by mistake or by some 
malicious software. This way even if the user has made a horrible mistake and 
the entire system has been compromised, even the worst damage can 
preferably still be automatically undone. Since the Security System constantly 
guards itself and its files and preferably also these logs from any anauthorized 
changes, it is still safe to activate the undo when the user needs it. Another 
possible variation of implementing this is that even if the user requested 
installation without VIZ limitation, the new program is first installed in a 
separate VE, and only after a certain time period or after the user authorizes it 
(and/or for example after the security system checks various parameters to sec 
that things seem ok), the VE limitations are lifted or this VE is merged with 
the unlimited VE. The various embodiments or features of this invention and 
especially those described here may be very useful for example in 
combination with the new Palladium system recently suggested by Microsoft 
(and/or similar systems that exists or will exist in he future), because the 
Palladium is like a safety vault in a bank, except that there is only one safe in 
the entire bank and programs can access this common safe and request various 
services from it only if they have some signatures that mean that they have 
been certified by someone and have not been changed since then. The concept 
of such certification can be very problematic because it means that programs 
have to be certified in advance in order to be allowed to run on the OS or 
request certain services from it. so it could make development of new 
programs problematic, and also various falsifications could insert dangerous 
Trojan horses or compromise the concept in many other ways. Also, the 
certification process itself might be of limited value even if for example during 
the certification various behaviors of new programs are checked, since it could 
miss the fact that some certified program is actually a Trojan horse designed to 
explode for example 2 years later or is designed to become for example a 
spyware for example only under certain conditions that are not discovered 
while it is being certified, or the certified program has for example numerous 
security Haws that can later be discovered and exploited. Or the certification 
might not include any behavior checks but rely only on identifying vendors 
with some Id and making sure that the certified program has not been changed 
in any way since its certification, but this could still be very unreliable by 
itself because of ihc possibility of falsification and because dangerous 
behavior of a certified program can be caused for example by error or by some 
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employee that inserts dangerous code on purpose. And even for example a 
security patch that has been certified and thus can for example update another 
ccrtillcd program might still have for example a falsified certificate or for 
example is legitimate but inadvertently introduces new vulnerabilities. In 
contrast, the concept of the automatic segregation can make much belter use of 
the Palladium, because by default any program can request services from that 
safe only for accessing is own segregated world. In order to make this more 
efficient in organizations, preferably one computer can be used for example 
for learning all of the segregation rules and virtual environment parameters for 
each program, and this knowledge can be transferred to all the other 
computers in the organization, without the need to install the Security System 
before the other applications in the other computers. This last option is 
preferably used lor example in organizations that want to install the security 
system on computers that are already installed with various programs after the 
Operating System. So preferably that one computer is installed from the 
beginning with the security system before any other program is installed on 
the OS. and then preferably all the other programs that are installed on 
computers in the organization are installed on it in order to learn the basic 
rules automatically so that they can be transferred to the other computers m 
the organization. Of course, if the security system is made part of the 
operating system itself (for example integrated into it by Microsoft, in case of 
a Microsoft OS such as windows), then the security system is by definition 
installed always during the installation of the operating system in all new 
computers that install this new OS, so by definition it is automatically installed 
before any other program. Preferably, in this case it is also installed for 
example before any applications that can access the Internet even if those 
applications are considered an integral part of the Operating system, such as 
for example MSIE, Microsoft Media Player, etc., so that for example the VE 
of these applications can be automatically determined during their installation. 
Another possible variation is that the security system is installed for example 
BEFORK the operating system or before mo.st other parts of it. Of course 
various combinations of the above and other variations can also be used, as 
explained above. 

Referring to Fig. 12, we show a visual illustration of the more extreme 
implementation of keeping preferably each program in a 'Bubble^ of virtual 
environment, so that the application can only see itself (2001) and not other 
programs or directories except its virtual environment (2002). which contains 
the operation system and the resources it is allowed to see. Only by explicit 
permission from the user can the program see other programs or directories or 
their data or access other system resources. 

Referring to Fig. 13, we show a visual illustration of a preferable configuration in a 
possible variation in which individual computers in an organization (3001- 
3005). each with its own installation of the Security System, are connected to 
the Internet (3020) through the central authority's computer, such as for 
example the system administrator (3010) (or though another gateway 
computer, such as for example the network's firewall, which supplies 
information to the central authority about the amount of data actually sent 
from each computer), with if s own installation of the Security System, so that 
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the Securily System on the central authority's computer can also for example 
( notice and intercept communication attempts from computers where the 

amount of actual communication does not fit the amount reported by the 
Security System of thai computer, as described in the reference to fig. 1 b. 

While the invention has been described with respect to a limited number of 
embodiments, it will be appreciated that many variations, modifications, 
expansions and other applications of the invention may be made which arc 
included within the scope of the present invention, as would be obvious to those 
skilled in the art. 



( 
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CLAIMS 

claim: 

K A security system for compulers, adapted to creating automatic 
segregation between programs, 

2. I hc system of claim 1 , further comprising: 

a. A monitoring and capturing system; 

b. A database of security rules, comprising at least one of: a 
set of default rules, a set of pre-distribution acquired rules 
that are good for many users of the selected operating 
system, and acquired additional user-defined rules; 

c. A user interface, which can interact with the user in order 
to at least one of: learn acceptable behavior patterns, warn 
the user of perceived dangers and wait for his 
authorization whenever necessary. 

3. The system of claim 2, wherein: 

a. Said monitoring and capturing system constantly monitors the 
security-sensitive elements of the computer system, and mainly 
all relevant, peripheral device activities, and especially storage 
devices and communication devices, and detects and selectively 
intercepts any security-sensitive or suspicious or dangerous- 
behaviors and acts upon it in accordance with at least one of 
default and acquired sets of security rules, and may ask for user 
authorization and guidance whenever necessary; 

b. Said database of security rules comprises at least one of: a set 
of default rules, a set of pre-distribution acquired rules that are 
good for most users of the selected operating system, and 
acquired additional user-defined rules, said database being 
constantly monitored as a high-security protected area; 

c. Said user interface, which can interact with the user for at least 
one of: learning acceptable behavior patterns, warning the user 
of perceived dangers and waiting for his authorization 
whenever necessary, and allowing the user to view and modify 
the database of authorizations. 

4. The system of claim 2 wherein said user interface at least also warns the 
user explicitly in cases of potentially highly dangerous activities, 

5. The system of claim 2 wherein said database comprises also at least 
learned statistics of normal and reasonable behavior of programs in the 
user's computer. 

6. The system of claim 2 wherein said user interface at least also allows the 
user to view statistics of behavior of important programs and csj^cially 
programs that are allowed to access communication channels, especially in 
what is related to sending and receiving data over the communication 
lines. 
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7. The system of claim 2 wherein said database comprises also at least a log 
of the questions that the Security System asked the user and his replies 
kept at least for a certain period. 

8. The system of claim 2 wherein said database comprises also at least, when 
needed* a log of suspicious activities detected kept at least for a certain 
period. 

9. The system of claim 2 wherein said security rules and f unctions performed 
by the Security System comprise automatic segregation of programs into 
their natural environments and at least some of the following functions: 

a. Constantly monitoring the security-sensitive elements of the 
computer system, and mainly all relevant peripheral device 
activities, and especially storage devices and communication 
devices, and detecting and selectively intercepting security- 
sensitive behaviors, suspicious behaviors and dangerous 
behaviors and acting upon them in according with default and 
acquired sets of security rules, 

b. At least one of Warning the user and request for authorization 
and automatic interception for security-sensitive activities and 
especially any first-time attempts to access communication 
channels, 

c. Enabling the user to request at least one of automatic blocking 
and warning of the user of any attempts of external programs 
from the network to connect to the user's computer through the 
communication channels, 

d. Interception and more explicit warning of the user about 
potentially highly dangerous activities. 

10. The system of claim 9, comprising also at least warning the user about 
significant statistical deviations from normal behaviors of applications and 
operating system and especially as relates to suddenly sending out large 
amounts of data. 

1 1 . The system of claim 9, comprising also at least enabling the user to 
request enforcing of at least one of additional limitations on the 
communication ports allowed to be opened and when needed also 
limitations on types of protocols allowed. 

12. The system of claim 9, comprising also at least monitoring and 
intercepting as much as possible all attempts of applications to gain direct 
port accesses to security sensitive devices and especially the storage media 
and the communication channels. 

13. The system of claim 9. comprising aLso at least implementing Virtual 
Shared data areas on the storage media, for at lea.st one of temporary files 
and accessing keys in the registry and other files, so that programs are 
given the illusion that they are accessing the shared area, but in reality arc 
each redirected to a separate private area. 
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14 The system of claim 2, comprising also pushing ai least part of the 
operating system from the most privileged processor nng to a lower 
privilege ring and enabling needed functions to run in said lower privilege 
ring. 

15. The system of claim 14 wherein said pushing is done in order to catch 
also backdoors and loopholes in the operating system itself. 

16 The system of claim 2 wherein said monitoring and capturing system 
includes also a hardware elemcm which monitors hardware accesses, so 
that the Security System can discover events where access has been made 
to the security-sensitive ports, especially the storage media and the 
communication channels, without an apparent correspondmg event on the 
system level as monitored by said Security System's software. 

17 The system of claim 2 wherein said default automatic segregation is 
■ implemented so that, by default, each program is allowed to access, such 

as read, write, execute, create, and delete, files only within its natural 
environment. 

18 The system of claim 17 wherein said natural environment is mainly the 
directory in which it is installed, its sub-directories, and - for reading only 
- non-strategic shared files, unless the program is explicitly given more 
rights. 

1 9 The system of claim 1 wherein said computer is at least one of a personal 
computer, a network server, a cellular phone, a palm pilot, a car computer, 
and/or other computeri/ed gadget. 

20. The system of claim 3 wherein high security protected areas are also 
encrypted. 

21 The system of claim 3 wherein high security protected areas are also 
automatically backed up to as least one more area for additional safety. 

27 The system of claim 20 wherein high security protected areas are also 
automatically backed up to as least one more area for additional safety 

23. I he system of claim 3 wherein said communication devices include also 
USB interfaces. 

24. The system of claim 3 wherein said communication devices include also 
at least one of Bluetooth devices and other wireless devices. 

25. I he system of claim 3 wherein monitoring access to communication 
devices includes also protocols for sending l-axes. 



Patent provided by Sughrue Mion. PLIC - tittp://www.sughcud.com 



48 



26. The system of claim 9 wherein high security protected areas are also 
encrypted. 

27. The system of claim 9 wherein high security protected areas are also 
automatically backed up to as least one more area for additional safety. 

28. The system of claim 26 wherein high security protected areas are also 
. automatically backed up to as least one more area for additional safely 

29. The system of claim 9 wherein said communication devices include also 
USB interfaces. 

30. The system of claim 9 wherein said communication devices include also 
at least one of Bluetooth devices and other wireless devices. 

31. The system of claim 9 wherein monitoring access to communication 
devices includes also protocols for sending Faxes. 

32. A security method for computers, capable of creating automatic 
segregation between programs. 

33. The method of claim 32. further comprising: 

a. Providing a monitoring and capturing system; 

b. Creating and maintaining a database of security rules, comprising 
at least one of: a set of default rules, a set of pre-distribution 
acquired rules that are good for many users of the selected 
operating system, and acquired additional user-defined rules; 

c. Providing a user interface, which can interact with the user in 
order to at least one of: learn acceptable behavior patterns, warn 
the user of perceived dangers and wait for his authorization 
whenever necessary. 

34. The method of claim 33, wherein said main 3 elements arc: 

a. Providing a monitoring and capturing system, which constantly 
monitors the security-sensitive elements of the computer system, 
and mainly all relevant peripheral device activities^ and 
especially storage devices and communication devices, and 
detects and selectively intercepts any security-sensitive or 
suspicious or dangerous behaviors and acts upon it in accordance 
with at least one of default and acquired sets of security rules, 
and may ask for user authorization and guidance whenever 
necessary; 

b. Creating and maintaining a database of security rules, comprising 
at least one of: a set of default rules, a set of pre-distribution 
acquired rules that are good for most users of the selected 
operating system, and acquired additional user-defined rules, said 
database being constantly monitored as a high-security protected 
area; 

c. Providing a user interface, which can interact with the user for at 
least one of: learning acceptable behavior paUems* warning the 
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user of perceived dangers and waiting for his authorization 
whenever necessary, and allowing the user to view and modify 
the database of authorizations. 

35. The method of claim 33 wherein said user interface at least also warns the 
user more explicitly in cases of potentially highly dangerous activities. 

36. The method of claim 33 wherein said database comprises also of at least 
continuously learned statistics of normal and reasonable behavior of 
programs in the user's computer. 

37. The method of claim 33 wherein said user interface at least also allows the 
user to view statistics of behavior of important programs and especially 
programs that are allowed to access communication channels, especially in 
what is related to sending and receiving data over the communication 
lines. 

38. The method of claim 33 wherein said database comprises also of at least a 
log or the questions that the Security System asked the user and his replies 
kept at least for a certain period. 

39. The method of claim 33 wherein said database comprises also of at least, 
when needed, a log of suspicious activities detected kept at least for a 
certain period. 

40. The method of claim 33 wherein said security rules and functions 
performed by the Security System comprise automatic segregation of 
programs into their natural environments and at least some of the 
following functions: 

a. Constantly monitoring the security-sensitive elements of the 
computer system, and mainly all relevant peripheral device 
activities, and especially storage devices and communication 
devices, and detecting and selectively intercepting security- 
sensitive behaviors, suspicious behaviors and dangerous 
behaviors and acting upon them in according with default and 
acquired sets of security rules, 

b. At least one of Warning the user and request lor authorization 
and automatic interception for security-sensitive activities and 
especially any first-time auempts to access communication 
channels, 

c. Hnabling the user to request at least one of automatic blocking 
and warning of the user of any attempts of external programs 
from the network to connect to the usef s computer through the 
communication channels, 

d. Interception and more explicit warning of the user about 
potentially highly dangerous activities. 

41, The method of claim 40, comprising also at least warning the user about 
significant statistical deviations from normal behaviors of applications and 
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operating system and especially as relates to suddenly sending out large 
amounts of data. 

42. The method of claim 40, comprising also at least enabling the user to 
request enforcing of at least one of additional limitations on the 
communication ports allowed to be opened and when needed also 
limitations on types of protocols allowed. 

43. The method of claim 40. comprising also at least monitoring and 
intercepting as much as possible all attempts of applications to gain direct 
port accesses to security sensitive devices and especially the storage media 
and the communication channels. 

44. 1 he method of claim 40, comprising also at least implementing Virtual 
Shared data areas on the storage media, for at least one of temporary files 
and accessing keys in the registry and other files, so that programs are 
given the illusion that they are accessing the shared area, but in reality are 
each redirected to a separate private area. 

45. The method of claim 40, comprising also at least pushing, to the extent 
possible, at least part of the operating system from the most privileged 
processor ring to a lower privilege ring and enabling needed functions to 
run in said lower privilege ring, 

46. The method of claim 45 wherein said pushing is done in order to catch 
also backdoors and loopholes in the operating system itself. 

47. The method of claim 40 wherein said monitoring and capturing system 
includes also a hardware element which monitors hardware accesses, so 
that the Security System can discover events where access has been made 
to the security-sensitive ports, especially the .storage media and the 
communication channels, without an apparent corresponding event on the 
system level as monitored by said Security Sy.stem*s software. 

48. fhe method of claim 40 wherein said default automatic segregation is 
implemented so that, by default, each program is allowed to access, such 
as read, write, execute, create, and delete, files only within its natural 
environment 

49. The method of claim 1 7 wherein said natural environment is mainly the 
directory in which it is installed, its sub-directories, and - for reading only 
- non-strategic shared files, unless the program is explicitly given more 
rights. 

50. The method of claim 32 wherein said computer is at least one of a 
personal computer, a network server, a cellular phone, a palm pilot, a car 
computer, and/or other computerized gadget. 
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51. The method of claim 33 wherein high security protected areas arc also 
encrypted. 

52 The method of claim 33 wherein high security protected areas arc also 
■ automatically backed up to as least one more area for additional safety. 

53 The method of claim 51 wherein high security protected areas are also 
' automatically backed up to as least one more area for additional safety 

54. The method of claim 34 wherein said communication devices include also 
USB interfaces. 

55 The method of claim 34 wherein said communication devices include also 
at least one of Bluetooth devices and other wireless devices. 

56. The method of claim 34 wherein monitoring access to communication 
devices includes also protocols for sending l axes. 

57. The method of claim 40 wherein high security' protected areas are also 
encrypted. 

58 The method of claim 40 wherein high security protected areas are also 
automatically backed up to as least one more area for additional safety. 

59 The method of claim 57 wherein high security protected areas are also 
automatically backed up to as least one more area for additional safety 

60. The method of claim 40 wherein said communication devices include also 
USB interfaces. 

61 . The method of claim 40 wherein said communication devices include also 
at least one of Bluetooth devices and other wireless devices. 

62. The method of claim 40 wherein monitoring access to communication 
devices includes also protocols for sending I'axes. 

63 A computer security system capable of automatic segregation of programs 
into their natural environments so that each program is allowed to at least 
one of access, read, write, execute, create, and delete files only within its 
natural environment, which is mainly the directory in which it is installed, 
its sub-directories, and - for reading only - non-strategic shared files, 
unless specifically given more rights. 

64 A method of implementing security in computers by automatic 
segregation of programs into their natural environments so that each 
program is allowed to at least one of access, read, write, execute, create 
and delete files only within its natural environment, which is mainly the 
directory in which it is installed, its sub-directories, and - for reading only 
- non-strategic shared files, unless specifically given more rights. 
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65. A security system in any of cellular phones, car computers, and other 
computerized gadgets, wherein access to highly sensitive data, such as 
credit card details or private encryption keys, needs explicit permission by 
the user. 

66. A security system in any of cellular phones, car computers, and other 
computerized gadgets, wherein any attempt to automatically generate an 
outgoing communication needs explicit permission by the user. 

67. The system of claim 64 wherein any attempt to automatically generate an 
outgoing communication needs explicit permission by the user. 

68. The system of claim 64 wherein any attempts to alter at least one of 
EMROMM and important system files and sensitive data, need explicit 
permission by the user. 

69. The system of claim 2 wherein the user is an individual. 

70. The system of claim 2 wherein the user is an organization and at least some of 
the control over authorizations is in the hands of at least one central authority, 
such as the system administrator. 

71. The system of claim 70 wherein the Security System of the central authority 
also automatically checks at least once in a while if the Security System is 
functioning properly on the other computers. 

72. The system of claim 70 wherein the Security System on the central authority's 
computer can also notice and intercept commtmication attempts from 
computers where the amount of actual communication docs not fit the amount 
reported by the Security System of that computer. 

73. The system of claim I wherein the communications device of each computer 
can also notice and at least report back to the computer about cases where the 
amount of actual communication does not fit the amount reported by the 
Security System of that computer . 

74. The system of claim 70 wherein the communications device of each computer 
can also notice and at least report back to at least one of the computer and the 
central authority about eases where the amount of actual communication does 
not fit the amount reported by the Security System of that computer. 

75. The system of claim 70 wherein the communications device of each group of 
computers can also notice and at least report back to at least one of the 
relevant computer and the central authority about cases where the amount of 
actual communication does not fit the amount reported by the Security System 
of that computer. 

76. I'hc system of claim 1 wherein by default each program can only see itself and 
the operating system and the resources (software & hardware) that it is 
allowed to see, so that it lives in a Virtual tnvironment (VH). 
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77. The system of claim 9 wherein by default each program can only see itself and 
the operating system and the resources (software & hardware) that it is 
allowed to see, so that it lives in a Virtual Rnvironment (VE). 

78. The system of claim 1 wherein the Security System also identifies if the user 
or the application initiated accessing a file outside the natural environment of 
the program or other potential security-risk commands and so can allow more 
(lexibility and less limitations if the command was initiated directly by the 
user than if it was initiated by the application. 

79. The system of claim 76 wherein the Security System also identifies if the user 
or the application initiated accessing a file outside the natural environment of 
the program or other potential security-risk commands and so can allow more 
fiexibility and less limitations if the command was initiated directly by the 
user than if it was initiated by the application. 

80. The system of claim 78 wherein the Security System also makes sure that 
programs cannot create the false impression that certain actions were initiated 
by the user by falsifying user input through one of the input devices. 

81. The system of claim 79 .wherein the Security System also makes sure that 
programs cannot create the false impression that certain actions were initiated 
by the user by falsifying user input through one of the input devices. 

82. The system of claim 1 wherein the Security System also makes sure that when 
it requests authorization no other programs can enter false answers as if they 
were entered by the user through one of the input devices. 

83. The system of claim 9 wherein the Security System also makes sure that when 
it requests authorization no other programs can enter false answers as if they 
were entered by the user through one of the input devices. 

84. The system of claim 1 wherein in the cases where private keys arc generated 
or stored by the browsers, additional rules are used in order to identify the 
directories where these keys arc held, since otherwise accessing the keys by 
the browser would be within the browser's default authorization. 

85. The system of claim 9 wherein in the cases where private keys arc generated 
or stored by the browsers, additional rules arc used in order to identify the 
directories where these keys are held, since otherwise accessing the keys by 
the browser would be within the browser's default authorization. 

86. The method of claim 34 wherein the user is an organization and at least some 
of the control over authorizations is in the hands of at least one central 
authority, such as the system administrator. 

87. The method of claim 86 wherein the Security System on the central authority's 
computer can also notice and intercept communication attempts from 
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computers where the amounl of actual communication does not fit the amount 
rcptirtcd by the Security System of that computer. 

88. The method of claim 34 wherein the communications device of each computer 
can also notice and at least rcptirt back to the computer about cases where the 
amount of actual communication does not fit the amount reported by the 
Security System of that computer. 

89. The method of claim 86 wherein the communications device of each computer 
can also notice and at least report back to the central control about cases where 
the amount of actual communication does not tit the amount reported by the 
Security System of that computer. 

90. A security system wherein the user is an organization and at least some of the 
control over authorizations is in the hands of at least one central authority, 
such as the system administrator and Security System on the central 
authority's computer can also notice and intercept communication attempts 
from computers where the amount of actual communication does not fit the 
amount reported by the sot\warc of that computer. 

91. A security method wherein the user is an organization and at least some of the 
control over authorizations is in the hands of at least one central authority, 
such as the system administrator and Security System on the central 
authority's computer can also notice and intercept communication attempts 
from computers where the amounl of actual communication docs not fit the 
amount reported by the operating system of that computer. 

92. A security system wherein the communications device of each computer can 
also notice and at least report back to the computer about cases where the 
amount of actual communication does not fit the amount reported by the 
software of that computer. 

93. A security system wherein the user is an organization and the communications 
device of each computer can also notice and at least report back to the central 
control about cases where the amount of actual communication does not fit the 
amount reported by the software of that computer. 

94. A security method wherein the communications device of each computer can 
also notice and at least report back to the computer about cases where the 
amount of actual communication does not fit the amount reported by the 
software of that computer. 

95. A security method wherein the user is an organization and the 
communications device of each computer can also notice and at least report 
back to the central control about cases where the amount of actual 
communication does not fit the amount reported by the software of that 
computer. 
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96. The system of claim 72 wherein the security system of each computer also 
encrypts the outgoing data packets with a unique idcntiner for each computer 
and reports also additional data identifying the packets that are being sent out, 
and so thai at least one of the communication devices or the central authority 
can also find out if outgoing data packets have been changed. 

97. The system of claim 73 wherein the security system also encrypts the outgoing 
data packets and reports also additional data identifying the packets that are 
being sent out, so thai Ihe communication devices can also find out if outgoing 
data packets have been changed. 

98. The system of claim 74 wherein the security syslem of each computer also 
encrypts the outgoing data packets with a unique identifier for each computer 
and reports also additional data identifying the packets that are being sent out, 
and so that at least one of the communication devices or the central authority 
can also find out if outgoing data packets have been changed. 

99. The system of claim 90 wherein the security system of each computer also 
encrypts the outgoing data packets wilh a unique identifier for each computer 
and reports also additional data identifying the packets that are being sent out, 
and so that at least one of the communication devices or the central authority 
can also find out if outgoing data packets have been changed. 

100. The system of claim 92 wherein the security system also encrypts the 
outgoing data packets and reports also additional data identifying the packets 
that are being sent oul, so that the communication devices can also find out if 
outgoing data packets have been changed. 

101. The system of any of the above claims wherein the security system 
intercepts the operating system the moment it is being loaded into memory and 
transfers it to a higher ring so that any attempt by the operating system to 
access ring 0 will cause a CPU exception, and in order to increase efficiency 
the security system rewrites on the fiy each such command in the operating 
system code which is running in the computer's RAM to access instead the 
current ring in which it is in. so that the next time that line of code is accessed 
in memory, the exception will not occur anymore until the next boot. 

102. The system of any of the above claims wherein if an application 
changes after being given certain permissions, the user is notified about and 
asked again for permissions or such changes arc automatically prevented. 

103. The system of any of the above claims wherein the security system 
transfers only physical device drivers to a less privileged ring in order to be 
able to control direct access to physical devices. 

104. rhe system of any of the above claims wherein the operating system 
itself transfers physical device drivers to a less privileged ring in order to be 
able to control direct access to physical devices. 
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105. The system of any of the above claims wherein at least one of the 
physical device drivers and the operating system are still in ring 0 but there is 
at least one more privileged area within ring 0 which can catch exceptions 
caused by at least one of device drivers in ring 0 and the operating system 
itself. 

106. The system of any of the above claims wherein the communication 
device is also capable of generating aulomatically various reports on outgoing 
and/or incoming data and the security system makes sure that no other 
applications can interfere with the device driver of the communication card 
and thus interfere with these reports. 

107. The system of any of the above claims wherein the communication 
device is also capable of generating automatically various reports on outgoing 
and/or incoming data and the security system makes sure that no other 
applications can interfere with the device driver of the communication card 
and thus interfere with these reports. 

108. The system of any of the above claims wherein at least one of the 
physical device drivers and the operating system are still in ring 0 but there is 
at least one more privileged area below ring 0 which can catch exceptions 
caused by at least one of device drivers in ring 0 and the operating system 
itself 

109. A security system for computers wherein at least one of the physical 
device drivers and the operating system are still in ring 0 but there is at least 
one more privileged area within ring 0 or below ring 0 which can catch 
exceptions caused by at least one of device drivers in ring 0 and the operating 
system itself 

1 10. The system of any of the above claims wherein at least one part of the 
security system becomes active even if the computer is booted from any of a 
floppy drive or CD or network drive, or any other source that is not the normal 
boot area. 

111. A security system for computers wherein at least one part of the 
security system becomes active even if the computer is booted from any of a 
floppy drive or CD or network drive, or any other source that is not the normal 
boot area. 

1 12. The system of claim 1 1 1 wherein said activation is done by at least one 
of the BIOS and the processor itself before the normal boot sequence begins. 

1 13. The system of claim 1 1 1 wherein if the security system discovers that 
the BIOS has been compromised or corrupted, it can at least one of issue a 
warning and restore it from various preferably hidden backups. 

114. The system of claim 113 wherein the security system can determine 
that the bios has been compromised or corrupted by at least one of: if it was 
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changed without aulhorizalion according to a digital signature and if it starts to 
behave suspiciously. 

115 The system of claim 111 wherein when changes need to be made in at 
least one of the security system itself and the BIOS, a physical key needs to be 
physically attached to any of the computer or any of its peripheral devices 

1 16 The system of any of the above claims wherein the Security System 
ieams during the installation of new programs which files are related to them 
outside their directory tree. 

117 The system of any of the above claims wherein any attempts «f 
programs, initiated by the programs, to exceed their natural environments are 
automatically blocked by the security system. 

1 1 8. I he system of any of the above claims wherein the Security System is 
an integral part of the operating system. 

119 The'system of claim 76 wherein if an application •'^"n^^hes another 
application, the newly launched application is limited to the Vb of the 
launching application. 

PO The system of any of the above claims wherein if users download 
" many files into a single download directory, the security system at least one 
of use context sen^tive information, and detects if a downloaded program 
starts looking at tiles that were downloaded at ^ifferennu".'^^ "^.^^^^^ 
over the entire directory or tries to modify other executables m that directory. 

PI The system of any of the above claims wherein in oi-derto protect the 
sesresation of processes in memory, the Security System asks the use to 
expSy authorize programs that he wants to allow to access APIs that allow 
accessing the memory of other processes. 

122 The system of any of the above claims wherein in order to prevent 
device driven from accessing devices otherlhen those t^at they " e^ed 
to access, each device driver must have a definite type indicator and is allowed 
to access only devices of the indicated type. 

12-^ i he system of claim 122 wherein each device driver is also prevented 

from accessing other device drivere that can access other types ol devices. 

124 The system of any of the above claims wherein the security system 
replaces at least some of the Operating System s dialogue ^xes and mher 
components that can request input from the user, so that the Secunty System 
has more control on what is happening in them. 

125 The system of any of the above claims wherein programs are allowed 
to send OS messages only to programs which are running wiihin their own 
Virtual Environments 
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1 26. The system of any of the above claims wherein the Security system 
replaces at least some of the OS functions that deal with the OS message 
system, and attaches to each message an identification thai shows if the OS or 
another application is the source of the message, and the Security System 
allows certain messages to be initiated only by the OS. 

127. A security system wherein the Security system replaces at least some 
of the OS functions that deal with the OS message system, and attaches to 
each message an identification that shows if the OS or another application is 
the source of the message, and the Security System allows certain messages to 
be initiated only by the OS. 

128. The system of any of the above claims wherein in order to prevent 
misleading textual questions the Security system uses also at least partial 
semantic analysis of what the user is really being asked, by at least one of: 
analyzing sentence structures or at least significant word combinations and/or 
using various rules and/or a statistical database of commonly used questions. 

129. The system of any of the above claims wherein in order to prevent 
misleading textual questions the Security system guards at least the top line 
title of the dialogue box, so the when it is an ''open file" dialogue box, it will 
always say so clearly, and if it is a ''save file'* dialog box it will always say so 
clearly. 

130. The system of any of the above claims wherein a new protocol is 
introduced for dialogue boxes, in which only the security systems runs 
completely the dialogue box and the programs have to indicate in a more 
structured format, what they want exactly. 

131. The system of any of the above claims wherein the security system 
automatically blocks potentially highly dangerous activities or asks the user 
for explicit authorization, even if the user supposedly allowed this to an 
application through the dialog box. 

132. The system of any of the above claims wherein the security system 
knows automatically about at least some highly important user files and 
directories. 

133. The system of claim 132 wherein said files are at least one of ".doc'' 
files and source code files, and said directories are at least directories 
containing such files, at least if these files were created by the user. 

134. The system of claim 132 wherein the security system can identify 
strategic files and/or directories by at least one of: using predefined rules; 
automatically marking programs as highly strategic according to the number 
and/or types of authorizations they have and/or by the fact that the user is 
using them interactively more than other programs or files or directories; and 
allowing the user explicitly to mark certain directories and/or certain file name 
extensions as highly protected. 
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135. The syslem of claim 132 wherein the user is explicitly warned by the 
security system about attempts of programs to access highly important user 
nics or directories even if the user supposedly allowed the program to access 
them through the dialogue box - if the program is nol normally associated 
with such files or directories. 

136. I he system of any of the above claims wherein installed drivers can 
also be associated with Virtual Hnvironments, and thus limited in the scope of 
their actions. 

137. rhe system of any of the above claims wherein the security system 
prevents running processes from at least one of: changing their code in 
memory and changing the disk tile of their executable code. 

138. The system of any of the above claims wherein at least one of 
programs that can access the Internet, Browsers, important Operating system 
files, and other highly strategic programs, cannot be changed or cannot run 
EVEN if the user authorizes the change directly to the Security System, unless 
the update or patch carries a digital certificated that proves that it is indeed an 
authorized and unchanged otTicial patch by the vendor who made the original 
program. 

139. The system of any of the above claims wherein the security system 
also prevents applications from accessing directly lower level functions that 
can access devices except by calling them through the normal kernel interface. 

140. The system of any of the above claims wherein unless explicitly given 
additional rights by the user all of the actions initiated by a program are 
automatically limited to the scope of its own VE. 

141. rhe system of any of the above claims wherein when a new program is 
being installed the user has the option of choosing a new VK for that program, 
or allowing it to become an update of an already existing VE, or allowing it to 
have free access to the entire computer. 

142. The system of claim 140 wherein the user is able to correct mistakes, 
at least for a certain time, by undoing the installation of programs, at least 
when they are installed in a limited VE. 

143. The system of any of the above claims wherein if shared drives are 
allowed, only the user is allowed to access files on shared drives on other 
computers, or each program is allowed to see and access in each shared drive 
only the same VE that it has on its own computer. 

144. The system of claim 140 wherein if the user allows a newly installing 
program to inherit or overwrite an existing VE, the security system first 
creates a virtual private environment copy of the modified directories, at least 
for a certain period, so that the user can still request to undo this if he made a 
mistake, at least for a certain period. 
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145. The system of claim 140 wherein Ihe security system backs up all the 
changed files or directories at least for a certain time and/or keeps a rollback 
log of all changes that were made to the relevant files and directories or even 
of all changes anywhere in the disk, in order to enable the undo if the user 
needs it. 

146. The system of claim 1 40 wherein even when the user allows a program 
to be installed without VF limitations, any changes in the entire hard disk after 
or during the installation, arc completely undo-able at least for a certain time 
period. 

147. The system of any of the above claims wherein any changes that 
happen on at least one of the hard disk and other connected media are 
completely undo-able at least for a certain time period, by keeping a rollback 
log of all changes or of all significant changes. 

148. The system of claim 140 wherein even if the user requested installation 
without VE limitation, the new program is first installed in a separate VE, and 
only after a certain time period or after the user authorizes it (and/or for 
example after the security system checks various parameters to see that things 
seem ok), the VE limitations are lifted or this VE is merged with the unlimited 
VE. 

149. A security system in computers wherein the security system 
automatically blocks potentially highly dangerous activities or asks the user 
for explicit authorization. 

150. The system of claim 149 wherein said potentially highly dangerous 
activities are at least I of: formatting a drive, mass deletion of files, changing 
hard disk partition information, changing boot area information, installing 
drivers in levels close to the kernel of the operating system, modifying 
cxecutables that reside outside the natural environment of the offending 
executable programs, renaming them, renaming directories, and changing the 
linking of file types with applications that will be run when clicking on them. 

151. The system of claim 149 wherein the security system can identify at 
least one of strategic files and strategic directories by at least one of: using 
predefined rules: automatically marking programs as highly strategic 
according to the number and/or types of authorizations they have and/or by the 
fact that the user is using them interactively more than other programs or files 
or directories; and allowing the use/ explicitly to mark certain directories 
and/or certain file name extensions as highly protected. 

152. As security system wherein the communication with at least one of a 
keyboard and a mouse uses encryption in order to prevent falsifying user 
responses. 

1 53. The security system of claim 1 52 wherein said encryption includes also 
a date & time stamp. 
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AMiri>mRP CLAIMS 

cl&im* 

1 A securiiy system for Minputers that does not depend on 
about the specific identities of malicious programs, wherein said 
computers are at least one of a personal computer, a network server, a 
ocUuIar phone, a palm pilot, a car computer, and/or other computenzed 
gadget, comprising at least one of: 
a A system for automatic segregation between programs that is 
applied also to at least one of hard disks and other storage media; 

b. An independent device that is adapted to notice and intercept 
whenever the amount of data achiaUy sent out from a computer 
does not fit the amount reported by at last one of: the Security 
System installed on the computer, and the communications 
software of the computer; 

c. A system for automatically blocking a wide range of potentially 
highly dangerous activities or asking the user for expUcit 

authorization for them; and 

d. A system for preventing maUcious software from fehjifying the, 

user's input. 

2. The system of claim 1, fiirther comprising: 

a. A monitoring and capturing system, which monitors at least 

one of storage devices and communications devices; 

b. A database of security rules, comprising at least one of: a set 
of default mles. a set of pre-distribution acquired rules Uiat 
are good for many users of the selected operating system, 
and acquired additional uscr-defmed rules; and 

c. A user intetfiice, which can interact witii the user in order to 

at least one o£ leam acceptable behavior patterns, warn the 
user of perceived dangers, wait for his authorization 
whenever necessary, and allow tbe user to view and modi^ 
the database of authorizations. 

3. The system ofclaim 2 whereta at least one of: 

a. Said user interfece at least also wams the user expUcitiy in 

cases of potentiaBy highly dangerous activities; 
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b. Said database comprises also at least learned statistics of 
norma] and reasonable behavior of programs in the user^s 
computer; 

c. Said user interface at least also allows the user to view 
statistics of behavior of important programs and especially 
programs that are allowed to access communication 
channels, especially in what is related to sending and 
receiving data over the communication lines; 

d. Said database comprises also at least a log of the questions 
that the Security System asked the user and his replies kept 
at least for a certain period; and 

e. Said database comprises also at least, when needed, a log of 
suspicious activities detected kept at least for a certain 
period. 

The system of any of the above claims wherein tfie security rules and/or 
functions performed by the Security System comprise automatic 
segregation of programs into their natural environments and at least one 
of the following: 

a. Constantly monitoring the security-sensitive clemrats of the 
computer system, and mainly all relevant peripheral device 
activities^ and especially storage devices and communication 
devices, and detecting and selectively intercepting security- 
sensitive behaviors, suspicious behaviors and dangerous 
behaviors and acting upon them m according wHh defiuilt and 
acquired sets of security rules; 

b. At least one of Warning the user and request for authorization 
and automatic interception for security-sensitive activities and 
especially any first-time attempts to access communication 
channels; 

c. Enabling the user to request at least one of automatic blocking 
and warning of the user of any attempts of external programs 
from the network to connect to the user's computer through the 
comununicadoh channels; 

d. Interception and mwe explicit warning of die user about 
potentially highly dangerous activities; 
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t. Warning the user about significant stotistfcaldeviaUoajfr^ 
nonnal behaviors of applications and operating system and 
especially as relates to suddenly sending out large amounts of 
data; 

f. Enabling the user to request enforcing of at least one of 
additional limitations on the commonication ports allowed to be 
opened and when needed also limitations on types of protocols 
allowed; 

g. Monitoring and intereepting as much as possible all attempts of 
' applications to gain direct port accesses to security sensitive 

devices and especially the storage media and the communication 
channels; 

h. Implementing VirtualShareddat8areasonthestoragemedia.for 
at least one of temporaiy files and accessing keys in the registry 
and other files, so that programs are given the iUusion that they 
aie accessing the shared area, but in reality are each redirected to 
a separate private area; and 

i. Pushing at least part of the operating system fixMn the most 
privileged processor ring to a lower privilege ring and enabling 
needed fimcdons to run In said lower privUege ring. 

■n»e system of any of the above clainas wherein said monitoring and 
capturing system includes also a hardware element which monitors 
hardware accesses, so that the Security System can discover events 
where access has been made to the security-sensitive ports, especially 
the storage media and the communication channels, without an apparent 
conesponding event on the ^stem level as monitored by said Secunty 
System's software. 

The system of any of the above claims wherein said delkult automatic 
segregation is implemented so that, by defeult, each program is allowed 
to at least one of access, read, write, execute, create, and delete files 
only within its natural environment, and said natural environment is 
mainly the directory in which H is installed, its subKlirectpries. and - for 
reading only - non-stmtogic shared files, unless the program is exphciUy 
given more rights. 
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1. The system of any of the above claims wherein high security protected 
areas are at least one of: encrypted, marked with a finger print, and 
automatically backed up to as least one more area for additional safety, 

8. The system of any of the above claims wherein the communication 
devices include also ai least one of USB devices, Bluetooth devices and 
other wireless devices, and/or wherein the monitoring of access to 
commimication devices includes also protocols for sending Faxes- 



9. A security method for computers that does not depend on informatiCHi 
about the specific identities of malicious programs, wherein said 
computers are at least one of a personal computer, a network server, a 
cellular phone, a pabn pilot, a car computer^ and/or other computerized 
gadget, comprising the steps of using at least one of: 

a. A method for automatic segregation between programs that is 
applied also to at least one of hard disks and other storage media; 

b. An independent device that is adapted to notice and intercept 
whenever the amount of data actually sent out from a computer 
does not fit the amount reported by at last one of: the Security 
System installed on the ccxnputer, and die communications 
software of the computer; 

c. A method for automatically blocking a wide range of potentially 
highly dangerous activities or asking the user for explicit 
authorization for them; and 

d. A method for preventing malicious software fi:om falsifying the 
user's input 

10. The method of claim 9, further comj^ising: 

a. Providing a monitoring and c^turing system, which 
monitors at least one of storage devices and conununications 
devices; 

b. Creating and maintaining a database of security rules^ 

comprisiiiig at least one of: a set of de&ult rules, a set of pre- 
distribution acquii^ rules that are good for many users of 
the selected cq>erating system, and acquired additional user- 
defined rules; and 

c. Providing a user interface, which can interact with the user in 

order to at least one of: learn acceptable behavior patterns. 
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vram Ae user of perceived dangers and wait for his 
authorization whenever necessaiy. 

The method of claim 10 wherein at least one of: 

a. Said user interfece at least also wains the user explicitly in 

cases of potentially highly dangerous activities; 
b Said database comprises also at least learned statistics of 

normal and reasonable behavior of programs in the user»s 

cMoputer, 

Said user interfece at least also aUows the user to view 
statistics of behavior of important programs and especially 
prognuns that are allowed to access conunumcation 
channels, especially in what is related to sending and 
receiving data ovw the communication lines; 
Said database comprises also at least a log of the questions 
thai the Security System asked the user and his replies kept 
at least for a certain period; and 

Said database comprises also at least, when needed, a log of 
suspicious activities detected kept at least for a certain 
period. 

2 The method of any of the above claims wherein the security rules 
and/or fiincUons performed by the Security System comprise automatic 
segregation of programs into their natural emiroomenta and at least one 
of the following: 

a Constantly monitoring the security-sensitive elements of the 
computer system, and mainly all relevant peripheral device 
activities, and especially storage devices and communication 
devices, and detectfaig and selectively intercepting security- 
sensitive behaviors, suspicious bchaviois and dangerous 
behaviors and acting upon them in according with defiiult and 

acquired sets of security, rules; 
b. At least one of Warning the user and request for authorization 
and automatic mterception for security-sensitive activities and 
especiaUy any first-time attempts to access communication 
channels; 



e. 
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c. Enabling the user to request at least one of automatic blocking 
and warning of the user of any attempts of external programs 
from the network to connect to the user's computer through the 
communication channels; 

d. Interception and more explicit warning of the user about 
potentially highly dangerous activities; 

c. Wanung the user about significant statistical deviations from 
normal brfiaviors of applications and operating system and 
especially as relates to suddenly sending out large amounts of 
data; 

C Enabling the user to request enforcing of at least one of 

additional limitations on the communication ports allowed to be 
opened and when needed also limitations on types of protocols 
allowed; 

g. Monitoring and intercepting as much as possible all attempts of 
applications to gain direct port accesses to security sensitive 
devices and especially the storage media and the communication 
channels; 

h. Implementing Vntual Shared data areas on the storage media, for 
at least one of temporary files and accessing keys in the registry 
and other files, so that programs are given the illusion that they 
are accessing the shared area, but in reality are each redirected to 
a separate private area; and 

i. Pushing at least part of the operating system from the most 
privileged processes ring to a lower privilege ring and enabling 
needed functions to run in said lower privilege ring. 

1 3 . A computer security system capable of automatic segregation of 
programs into their natural enviromnents so that each pn^am is 
allowed to at least one of access, read, write, execute, create, and delete 
files only within its natural environment, which is mainly the directory 
in which it is installed, its sub-directories, and - for reading only - non- 
strategic shared files, unless specifically given more rights. 

14. A method of implementing security in computers by automatic 
segregation of programs into their natural environments so that each 
program is allowed to at least one of access, read, write, execute, create 
and delete files only wifliin its natural environment, which is oiainly the 
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directoiy in yrhich it is itiJrtalled, its subdirectories, and - 

only - nod-stratcgic shared files, unless specificaUy given more rights. 

15 TheSecuritysystcmofanyofthcabovedaiimvAereinthecompirtW 
' is at least one of: cellular phone, car computer, and other computerized 
gadget, and wherein at least one of: 
a Access to highly sensitive data, such as credit card details or 

private encryption keys, needs explicit permission by the user, 
b. Any attempt to autoroalicaUy generate an outgoing communicatwn 

needs explicit pennission by the user, 
c AnyattemptstoaheratleasloneofEMROMMandiinportont 

system files and sensitive data, need explicit permission by the 



user. 



16 The system of any of the above claims wherein the user is an 

organization and at least some of the control over authorizations is m the 
hands of at least one of: at least one central authority, and the system 
administrator. 

17. The system of claim 16 wherein the Security System of the central 
authority and/or of the system administrator perfomis also at least one 
of: 

a. Automatically checking at least once to a while if the Security 
System is functioning properly on the other computers. 

b. Noticing and intercepting communicati<m attempts from 

computers where the amount of actual communication does not 
fit the amount reported by the Security System of that computer. 

18 nie system ofanyofthe above claims wherein the communications 
device of each computer or group of computers is adJ^ledto noticmg 
and at least reportingback to at least one of the relevant computer, a 
central authority, and the system administrator about cases where the 
amount of actual communication does not fit the amount reported by the 
Security System of that tomputer. 
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19. The system of any of the above claims wherem by default each 
program can only see itself and the operating system and the computer 
resources that it is allowed to see, so that it lives in a Virtual 
Environment (VE). 

20. The system of any of flie above claims wherein the Security System 
also identifies if the user or the application initiated at least one of 
accessing a file outside the natural environment of the program, and 
other pc^ntial security-risk comnaands, and so can allow more 
flexibility and less limitations if the command was initiated directly by 
the user than if it was Initiated by the application. 

21 . The systm of claim 20 wherein the Security System also makes sure 
that programs cannot create the false impression that certain actions 
weie initiated by the user by falsifying user input through one of the 
input devices. 

22. The system of any of die above claims wherein the Security System 
also makes sure that when it requests authorizatioa no other programs 
can enter false answers as if diey were entered by the user through one 
of the input devices. 

23. The system of any of the above claims wherein in the cases where 
private keys are generated or stored by the browsers, additional rules are 
used in order to identify the directories where these keys are held. 

24. The security system of any of the above claims wherein the 
communications device of each computer is adapted to notice and at 
least report back to the computer about cases where the amount of actual 
communication does not fit the amount reported by the software of that 
computer. 

25. The security system of any of the above claims wherein the user is an 
organization and at least some of the control over authorizations is in the 
hands of at least one central authority, and the Security System on the 
central authority *s computer and/or the communications device of each 
computer is adi^rted to notice and intercept communication attempts 
from computers where the amount of actual conmiunication does not fit 
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the amount reported by the at least one of: the software of that computer, 
and the operating system of that computer. 

26 The security method of any of the above claims comprising the steps of 
using a communications device of each computer which is adapted to 
notice and at least report back to the computer about cases where the 

amount of actual communication does not fit the amount reported by the 

software of that computer. 

27 msecuritymethodofanyoftheaboveclaimswheretofljeuserisan 

organizaUoa comprising the steps of using in each computer a 
communicationsdevicethatisadaptednoticeandreportbaclctoihe 

computer and/or to the central control about cases where the amount of 
actual communication does not fit the amomitreported by the software 
of that compute'. 

28 ThesystemofanyoftheaboveclaimswhereinthcSccuritySystcm 
learns during the installation of new programs which files are related to 
them outside their directory tree. 

29. The system of any of the above claims wherein any attempts of 
programs, initialed by the programs, to exceed their natural 
environments are automatically blodted by the security system. 

30 The system of any of the above claims wherein the security system 
automatically bloclcs potentially highly dangerous activities or aslcs the 
user for explicit authorization, even if the us« supposedly allowed tfiis 
to an ^plicatiOT through the dialog box. 

3 1 . The security system of any of the above dainis wherein the 
communication with at least one of a keyboard and a mouse uses 
encryption in order to prevent bisifyiag user responses. 

32. Thesecurity system of claim 31 wherein said encryption includes also a 
date & time stamp. 

33 A security system in computers wherein the security system 

automaticaUy blocks potentially highly dangerous activities or asks the 
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user for explicit authorization, wherein said potentially higlily dangerous 
activities are at least 1 of: formatting a drive, concurrent deletion of 
muhiple files, changing hard disk partition information, changing boot 
area information, installing drivers in levels close to the kernel of the 
operating system, accessing the dejfined high-security areas, modifying 
or renaming executables Aat reside outside the natural envircmment of . 
the offending executabte programs, and dianging the Unking of file 
types with applications that will be run when clicking on them. 

34. The system of claim 1 7 wherein the security system of each computer 
also encxypts the outgoing data packets with a unique identifier for each 
computer and rqioits also additimal data identifying the packets that are 
being sent out, and so that at least one of the communication devices or 
the central authority can also find out if outgoing data packets have been 
changed* 

35. The system of claim 1 8 wherein the security system also enciypts the 
outgoing data packets and reports also additional data identilying the 
packets that are being sent out, so that the communication devices can 
also find out if outgoing data packets have been changed. 

36. The system of claim 24 wherein the security system also enciypts the 
outgoing data packets and reports also additional data identifying the 
packets that arc being sent out, so that the communication devices can 
also find out if outgoing data packets have been changed 

37. The system of any of the above claims wherein if an application 
changes after being given certain permissions, the user is notified about 
and asked again for permissions or such changes are autonuitically 
prevented, 

38. The system of any of the above claims wherem at least one of the 
following features exist; 

a. The security system intercepts the operating system the moment 
it is being loaded into memory and transfers it to a higher ring so 
that any attempt by the operating system to access ring 0 will 
cause a CPU excq>tion, and in order to increase efficiency the 
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security system rewrites on the fly each Buch c«nmand in the 
operating system code which is running in the computer's RAM 
to access instead the current ring in which it is in. so that the next 
time that line of code is accessed in rocmaty. the exception wiU 

not occur anymore until the next boot, 
b Hie security system transfers only physical device drivers to a 

less privileged ring in order to be able to conliol direct access to 

physical devices. . . . 

c The operating system itselftninsfets physical device drivers to a 

lessprivUegedringinordertobe abletocontrol directaocessto 

physical devices, 
d At least one ofihe physical device drivers and the operatmg 

system are stiU in ring 0 but there is at least one more privileged 
area within ring 0 which can catch exceptions caused by at least 
one of device drivers in ring 0 and the operatmg system itself, 
c At least one of the physical device drivers and the opewting 
system aie sUU in ring 0 but there is at least one more privUeged 
area below ring 0 which can catch exceptions caused by at least 
one of device drivers in ring 0 and the operating system itself 

39 The system of claim 17 wherein the communication device is also 
capable of generating automatically various reports on outgoing and/or 
incoming data and the security system makes sure that no other 
appUcations can interfere with the device driver of the communication 
card and thus interfere with these reports. 

40 The system of claim 18 wherein the communication device is also 
capable of generating automatically various reports on outgoing and/or 
incoming data and the security system makes sure that no other 
applications can interfere with the device driver of Ae communication 
card and thus interfere with these reports. 

41. A security system for computers wherein at least one of the physical 
device drivers and the operating system are still in ring 0 but there is at 
least one more privUeged an» within ring 0 or below ring 0 which can 
catch exceptions caused by a» least one of device drivers in ring 0 and 
the operating system itself 
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42. The system of any of the above claims wherein at least one part of the 
security system becomes actWe even if the computer is booted from at 
least one of a floppy drive, CD, network drive, and any other source that 
is not the normal boot area. 

43 . The system of claim 42 wherein at least one of the following features 
exist: 

a. Said activation is done by at least one of the BIOS and the 
processor itself before the nomiai boot sequence begins. 

b. lifthe security system discovers Aat the BIOS has been 
compromised or corrupted, it can at least cmt of issue a warning 
and restore it from various preferably hidden backups. 

c. The security system can determine that the bios has been 
compromised or corrupted by at least one of: if it was changed 
without authorization according to a digital signature and if it 
starts to behave suspiciously. 

d. When changes need to be made in at least one of the security 
system itself and the BIOS, a physical key needs to be physically 
attached to at least one of the computer amd any of its peripheral 
devices. 

44. The system of any of the above claims wherein the SecuriQr System is 
an integral part of the operating system. 

45. The system of claim 19 wherein if an application laimches another 
application, the newly launched application is limited to the VE of the 
launching application* 

46. The system of any of the above clauns wherein if users download many 
files into a single download directory, the security system at least one 
of: uses context sensitive information, and detects if a downloaded 
program starts looking at files that were downloaded at different times 
or starts going over the entire directoiy or tries to modify other 
executables in that directoiy. 

47. The system of any of the above claims wherein in order to protect the 
segregation of processes in memoiy, the Security System asks the user 
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to explicitly authorize programs that he wants to aUow to access APIs 
that allow accessing the memory of other processes. 

48. The system of any of the above claims wherein in order to prevent 
device drivers from accessfaig devices other then those that they are 
intended to access, each device driver must have a definite type 
indicator and is alkwed to access only devices of the indicated type. 

49. The system of claim 48 wherein each device driver is also prevented 
from accessing other device drivers that can access other types of 
devices. 

50. The system of any of the above claims wherein the security system 
replaces at least some of the Operating System's dialogue boxes and 
other components that can request input from the user, so that the 
Security System has more control on what is haw>ening in them. 

5 1 . The system of claim 19 wherem programs are allowed to send OS 
messages only to programs which are running withfai their own Virtual 
Environments 

52. The system of any of the above claims wherein the Security system 
replaces at least some of the OS functions that deal with the OS message 
system, and attaches to each message an identification that shows if the 
OS or another appUcation is the source of the message, and the Security 
Systran allows certain messages to be initiated only by the OS. 

53. A security system wherein fte Security system replaces at least some of 
the OS functions that deal with the OS message system, and attaches to 
each message an identification that shows if *e OS or another 
application is the source of the message, and the Security System allows 
certain messages to be hittiated only by the OS. 

54. The system of claim 20 wherein at least one of the following features 
exist: 

a. In order to prevent misleading textual questions the Security 
system uses also at least partial semantic analysis of what the 
user is really bdng asked, by at least one of: analyang sentence 
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structures or at least significant word ccsmbinations and/or using 
various rules and/or a statistical database of conunonly used 
questions. 

b. In order to prevent misleading textual questions the Security 
system guards at least the top line title of die dialogue box, so the 
when it is an ^open file" dialogue box, it will always say so 
clearly, and if it is a ^'save file"" dialog box it will always say so 
clearly. 

c. A new protocol is introduced for dialogue boxes, in which only 
the security systems runs completely the dialogue box and the 
progranns have to indicate in a more structured format, what they 
want exactly. 

d. The security system automatically blocks potentially highly 
dangerous activities or asks the user for explicit authorization^ 
even if the user supposedly allowed this to an applicatim through 
the dialog box. 

55. The system of any of the above claims wherein the security system 
knows automatically about at least some highly important user files and 
directories. 

56. The system of claim 55 wherein at least one of the following features 
exist: 

a. Said files are at least one of ^.doc*' files and source code files, 
and said directories arc at least directories containing such files, 
at least if these files were created by the user. 

b. The security system can identify strategic files and/or directories 
by at least one of: using predefined rules; automatically marking 
programs as highly strategic according to the number and/or 
types of authorizations they have and/or by the fiict that die user 
is using them interactively more than oAer programs or files or 
directories; and allowing the user e}q}licit]y to mark certain 
directories and/or certain file name extensions as highly 
protected. 

c. The user is explicitly warned by the security systm about 
attempts of programs to access highly important user files or 
directories even if the user supposedly allowed the program to 
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access them through the dialogue box - if the program is act 
normally associated with such files or directories. 

57 The system ofclaim 19 ^^etein installed driven can also be a^^ 
with Virtual Environments, and thus limited in the scope of their 
actions. 

58 •nicsystemofanyoftbeaboveclaimswheretothesecnritysystctn 
prevents running pnjcesses from at least one of: Changing their code m 
memory, and Changing the disk file of their executable code. 

59 niesystcmofanyoffteaboveclaims^vbefeinatleastoneofprograms 
that can access the hitemet. Browsers, important Operating system files, 
a«i other highly strategic programs, cannot be changed or cannot run 
EVEN if the user authorizes the change directly to liie Security System, 
unless the update or patch carries a digital certificated that pfoves that U 
is indeed an authorized and unchanged official patch by the vendor who 
made the original program. 

60 The system of any of the above claims wherein the security system also 
prevents applications ftom accessing directly lower level fimcttons that 
can access devices except by calling them through the normal kernel 
inter&ce. 

61. -me system of chum 19 wherein at least one of the followmg features 
exist; 

a. Unless expUciUy given additional rights by the user all of the 
actions initiated by a program are automatically limited to the 

scope of its own VE. 

b. When a new program is being installed the user has the option of 

choosing a new VE for that program, or allowing it to become an 
update of an already existing VE. or allowing it to have free 
access to die entire computer. 

c. The user is able to correct mistakes, at least for a certain time, by 
undoing the mstallation of programs, at least when diey are 
installed in a Umited VE. 

d. If shared drives are allowed, only the user is aUowed to acc^s 
files on shared drives on other computers, or each program is 
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allowed to see and access in each shared drive only the same VE 
that it has on its own computer. 

e. If the user allows a newly installing program to inherit or 
overwrite an existing VE, the security system first creates a 
virtual private environment copy of the modified directories, at 
least for a certain period, so that the user can still request to undo 
this if he made a mistake, at least for a certain period. 

f. The security system backs up all the changed files or directories 
at least for a certain tune and/or keeps a rollback log of all 
changes that were made to die relevant files and directories or 
even of all changes anywhere in at least one of the hard disk and 
oflier storage media, in order to enable the undo if the user needs 
it. 

g. Even wh«i the user allows a program to be installed without VE 
limitations, any changes in the entire hard disk after or during the 
installation, are completely undo-able at least for a certain time 
period. 

h. Even if the user requested installation without VE limitation, the 
new program is first installed in a sqjarate VE, and only after a 
certain time period or after the user authorizes it (and/or for 
example after the security system checks various parametois to 
see that things seem ok), the VE limitations are lifted or this VE 
is merged with the unlimited VE. 

62. The system of any of the above claims wlierein any changes that 
happen on at least one of the hard disk and odwr storage media are 
completely undo-able at least for a certain time period, by keeping a 
rollback log of all changes or of all significant changes. 

t 

63. The system of any of the above claims wherein the security system can 
identify at least one of strategic files and strategic directories by at least 
one of: using predefined rules; autOTiiadcally marking programs as 
highly strategic according to the number and/or types of authorizations 
they have and/or by the fact that the user is using them interactively 
more than other programs or files or directories; and allowing the user 
explicitly to mark certain directories and'or certain file name extensions 
as highly protected. 
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